[Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN
Jan Orel
janorel at gmail.com
Thu Oct 15 15:28:48 UTC 2015
> Anything bound to IPA can potentially retrieve a certificate. This code
> adds special handling for hosts and probably should cover services as
> well now that I think about it. I don't think services could be included
> in ACIs when this was originally written.
>
> The idea was that hosts have no need to be able to query random serial
> numbers so it should be limited to viewing its own. Removing the if
> hostname: applies this logic to ALL retrieval which is by far overkill
> and limits all non-admin entries to only be able to view certs they own
> (or can write) which sort of kills the reason for the 'retrieve
> certificate' permission.
OK, anyway I don't think I am able to refactor right now to include
also the services.
I am attaching new simple patch.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: freeipa-xorel-0001-3-cert-show-verify-write-access-to-userCertificate.patch
Type: text/x-patch
Size: 1407 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20151015/57d98cec/attachment.bin>
More information about the Freeipa-devel
mailing list