Attachment 314988 Details for Bug 457835 – Source fixes for new installations

[patch] Source fixes for new installations

freeipa-cve-2008-3274-fixes.patch (text/plain), 3.35 KB, created by Simo Sorce on 2008-08-26 12:53:14 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Simo Sorce

Created: 2008-08-26 12:53:14 UTC

Size: 3.35 KB

patch

obsolete

>From 7bd21c0d8b0c0889289c7e1eaeb21fb0f1d0c99f Mon Sep 17 00:00:00 2001
>From: Simo Sorce <ssorce@redhat.com>
>Date: Fri, 15 Aug 2008 17:17:03 -0400
>Subject: [PATCH] CVE 2008 3274 related fixes
>
>---
> ipa-server/ipa-install/share/default-aci.ldif |    4 ++--
> ipa-server/ipaserver/krbinstance.py           |    8 +++++++-
> 2 files changed, 9 insertions(+), 3 deletions(-)
>
>diff --git a/ipa-server/ipa-install/share/default-aci.ldif b/ipa-server/ipa-install/share/default-aci.ldif
>index d2946fa..25bd3b2 100644
>--- a/ipa-server/ipa-install/share/default-aci.ldif
>+++ b/ipa-server/ipa-install/share/default-aci.ldif
>@@ -3,8 +3,8 @@
> dn: $SUFFIX
> changetype: modify
> add: aci
>-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
>-aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
>+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Enable Anonymous access"; allow (read, search, compare) userdn = "ldap:///anyone";)
>+aci: (targetattr != "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory || krbMKey")(version 3.0; acl "Admin can manage any entry"; allow (all) userdn = "ldap:///uid=admin,cn=users,cn=accounts,$SUFFIX";)
> aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword")(version 3.0; acl "Self can write own password"; allow (write) userdn="ldap:///self";)
> aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Admins can write passwords"; allow (add,delete,write) groupdn="ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";)
> aci: (targetattr = "userPassword || krbPrincipalKey || sambaLMPassword || sambaNTPassword || passwordHistory")(version 3.0; acl "Password change service can read/write passwords"; allow (read, write) userdn="ldap:///krbprincipalname=kadmin/changepw@$REALM,cn=$REALM,cn=kerberos,$SUFFIX";)
>diff --git a/ipa-server/ipaserver/krbinstance.py b/ipa-server/ipaserver/krbinstance.py
>index deea4a6..1668561 100644
>--- a/ipa-server/ipaserver/krbinstance.py
>+++ b/ipa-server/ipaserver/krbinstance.py
>@@ -48,6 +48,10 @@
> import struct
> import base64
> 
>+KRBMKEY_DENY_ACI = """
>+(targetattr = "krbMKey")(version 3.0; acl "No external access"; deny (all) userdn != "ldap:///uid=kdc,cn=sysaccounts,cn=etc,$SUFFIX";)
>+"""
>+
> def update_key_val_in_file(filename, key, val):
>     if os.path.exists(filename):
>         pattern = "^[\s#]*%s\s*=\s*%s\s*" % (re.escape(key), re.escape(val))
>@@ -358,7 +362,9 @@
> 
>         entry = ipaldap.Entry("cn="+self.realm+",cn=kerberos,"+self.suffix)
>         dn = "cn="+self.realm+",cn=kerberos,"+self.suffix
>-        mod = [(ldap.MOD_ADD, 'krbMKey', str(asn1key))]
>+        #protect the master key by adding an appropriate deny rule along with the key
>+        mod = [(ldap.MOD_ADD, 'aci', ipautil.template_str(KRBMKEY_DENY_ACI, self.sub_dict)),
>+               (ldap.MOD_ADD, 'krbMKey', str(asn1key))]
>         try:
>             self.conn.modify_s(dn, mod)
>         except ldap.TYPE_OR_VALUE_EXISTS, e:

Actions: View | Diff

Attachments on bug 457835: 314983 | 314984 | 314985 | 314986 | 314987 | 314988 | 314989