Bug 1250145

Summary: Add permission for user to bypass caacl enforcement
Product: Red Hat Enterprise Linux 7 Reporter: Jan Cholasta <jcholast>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: ksiddiqu, mbasti, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-4.2.0-5.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 12:04:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Cholasta 2015-08-04 15:19:34 UTC 
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5099

Currently, even if a principal has permission to write the userCertificate
attribute of principal(s), cert-request will deny certificate issuance unless
there is a caacl rule allowing it.  This affects even admin.

Add a permission that suppresses caacl enforcement in cert-request, of which
admin is a member.

Discussion on freeipa-devel: https://www.redhat.com/archives/freeipa-devel/2015-July/msg00110.html
Comment 1 Martin Bašti 2015-08-14 12:03:15 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6fa14fd21e664925268d80a2263c556b2bc35139
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/ef8f431c93b5587247eeb7de9e74d15e5fc6f616
Comment 3 Scott Poore 2015-09-29 15:46:57 UTC 
How can I verify this?

Does this cover verification?

ipa privilege-show "Certificate Administrators"

ipa permission-show "Request Certificate ignoring CA ACLs"

ipa caacl-disable hosts_services_caIPAserviceCert

certutil -R -d /etc/pki/nssdb/ -s "CN=$(hostname)" -a -o /root/bzsvc1.csr -v 12 -8 $(hostname)

ipa cert-request /root/bzsvc1.csr --profile-id=caIPAserviceCert --principal=BZSVC1/$(hostname)

How can I confirm that this doesn't allow anyone to do this now?  Is it possible to add a new user and give them permissions that would allow them to create a service but not allow them to ignore the CAACL restrictions?






[root@rhel7-1 ~]# ipa privilege-show --raw --all "Certificate Administrators"
  dn: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=example,dc=com
  cn: Certificate Administrators
  description: Certificate Administrators
  memberof: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificate,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Revoke Certificate,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Add Certificate Store Entry,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Modify CA Certificate,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Modify CA Certificate For Renewal,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Modify Certificate Store Entry,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Remove Certificate Store Entry,cn=permissions,cn=pbac,dc=example,dc=com
  objectClass: top
  objectClass: groupofnames
  objectClass: nestedgroup


[root@rhel7-1 ~]# ipa permission-show --raw --all "Request Certificate ignoring CA ACLs"
  dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,dc=example,dc=com
  cn: Request Certificate ignoring CA ACLs
  ipapermright: write
  ipapermincludedattr: objectclass
  ipapermbindruletype: permission
  ipapermlocation: dc=example,dc=com
  ipapermtarget: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=example,dc=com
  member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=example,dc=com
  aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=example,dc=com" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,dc=example,dc=com";)
  objectclass: ipapermission
  objectclass: top
  objectclass: groupofnames

[root@rhel7-1 ~]# ipa caacl-find
----------------
1 CA ACL matched
----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: FALSE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-1 ~]# certutil -R -d /etc/pki/nssdb/ -s "CN=$(hostname)" -a -o /root/bzsvc1.csr -v 12 -8 $(hostname)

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

[root@rhel7-1 ~]# ipa cert-request /root/bzsvc1.csr --profile-id=caIPAserviceCert --principal=BZSVC1/rhel7-1.example.com
  Certificate: MIIEMTCCAxmgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDkyOTE1MzI1NFoXDTE3MDkyOTE1MzI1NFowNDEUMBIGA1UECgwLRVhBTVBMRS5DT00xHDAaBgNVBAMME3JoZWw3LTEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNxHE1tVneUa4T3eJ2Jn/atTcY0U/7nyFsr8fUwGbGbt5zCyJaSBTIpgEFwtZpCT77G4sidcN9NWXSKucv7WDyzqSTf9KQ4LH2KgO0XRZ1SblJ+WDui6NMBgrnJxneYyQ3tV/KqLN/7PmSyT2uExCdlFBCyMmN01aBr1xf162VgxbbVAQTJLgOJuBXTUywLw/GODnHBpl5dkoO1Enl6QYvmiWqniqr2qb9fggQ+cDt3EwtYCrPB5XuABivl6lUSFHUZGDnAOLzV840Iewk/4Bs/64NhMm48jsBQAOJSpmtXNuM9x+F/pHsUs4II4JyGjEHBAJSgUrNHNPK3Sitf0RhAgMBAAGjggFKMIIBRjAfBgNVHSMEGDAWgBTCs1rAAeNGsmySibCItabACy0ZTjA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRkuDi19+JVFP/e9pCxbKBOcfFz8TAeBgNVHREEFzAVghNyaGVsNy0xLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCHHdMf7kw6phmUzuYu0THDkMtO1tpXEJoXqjgR4mbtD4uWTlCFcy2zfuRgsr9+LfCKZLZFrRDUkiHdfsHH16HRO+6hjBWA3xw6DVtp2/9W/QVFz6I12P9WGJ6EQQdP1Q17Q6ESRyDA/Dl8rYfyM9DPLNopthBdghQF7rTgRLAIePeEJfMv8Vj6vxWgKQrw8v5QVk1usrrBxYSi7TwkObEddS+FjDZ96kaSDq6rPOUUkdTfG7/fs7Q3Pkz0y58Qps0UFjhRTeBiVLSteL+rRP3AhgGJ87HnKIVOQ+OW5kC/18IfF9WvMWk/j8vBjduwJwGt9661VDwx6IsqADaiNz83
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Tue Sep 29 15:32:54 2015 UTC
  Not After: Fri Sep 29 15:32:54 2017 UTC
  Fingerprint (MD5): cc:98:f5:3a:d5:3d:bd:6f:2f:4f:87:a2:9f:fe:f7:dd
  Fingerprint (SHA1): 22:ed:6b:92:fd:7a:28:79:19:66:a7:55:e8:71:18:6e:b7:7c:9a:d9
  Serial number: 14
  Serial number (hex): 0xE
Comment 4 Martin Bašti 2015-09-29 16:32:24 UTC 
Hello,

you can add a new user that should not be allowed to do anything with certificates.

Then you can create new privilege from Certificate Admins without "Request Certificate ignoring CA ACLs" permission. The user should be able to do operations allowed by  CA ACL, when this privilege is added to him.
Comment 5 Scott Poore 2015-09-30 02:51:58 UTC 
Martin,

Is there an easy way to clone the privilege or do I have to manually create a new one without that permission?

Thanks,
Scott
Comment 6 Martin Bašti 2015-09-30 08:31:54 UTC 
IMO there is no way to copy privileges.

You have to create a new privilege manually.
Comment 7 Scott Poore 2015-09-30 16:19:15 UTC 
Verified.

Version ::

ipa-server-4.2.0-11.el7.x86_64

Results ::

[root@rhel7-1 ~]# ipa privilege-add testpriv
--------------------------
Added privilege "testpriv"
--------------------------

[root@rhel7-1 ~]# OLD_IFS="$IFS"

[root@rhel7-1 ~]# IFS="
> "

[root@rhel7-1 ~]# for perm in $(ipa privilege-show --all --raw "Certificate Administrators" |grep -i memberof|cut -f2 -d=|cut -f1 -d,|grep -v "Request Certificate ignoring CA ACLs"); do ipa privilege-add-permission testpriv --permissions="$perm"; done
...truncated....
  Privilege name: testpriv
  Permissions: Retrieve Certificates from the CA, Request Certificate, Request Certificates from a
               different host, Get Certificates status from the CA, Revoke Certificate, Certificate
               Remove Hold, Request Certificate with SubjectAltName, System: Add CA Certificate For
               Renewal, System: Add Certificate Store Entry, System: Modify CA Certificate, System:
               Modify CA Certificate For Renewal, System: Modify Certificate Store Entry, System:
               Remove Certificate Store Entry
-----------------------------
Number of permissions added 1
-----------------------------

[root@rhel7-1 ~]# IFS="$OLD_IFS"

[root@rhel7-1 ~]# ipa role-add testrole
---------------------
Added role "testrole"
---------------------
  Role name: testrole

[root@rhel7-1 ~]# ipa role-add-privilege testrole --privileges=testpriv
  Role name: testrole
  Privileges: testpriv
----------------------------
Number of privileges added 1
----------------------------

[root@rhel7-1 ~]# ipa group-add testgroup
-----------------------
Added group "testgroup"
-----------------------
  Group name: testgroup
  GID: 1958800012

[root@rhel7-1 ~]# ipa user-add testuser --first=f --last=l --password
Password: 
Enter Password again to verify: 
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: testuser
  Email address: testuser
  UID: 1958800013
  GID: 1958800013
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-1 ~]# ipa role-add-member testrole --groups=testgroup
  Role name: testrole
  Member groups: testgroup
  Privileges: testpriv
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# ipa group-add-member testgroup --users=testuser
  Group name: testgroup
  GID: 1958800012
  Member users: testuser
  Roles: testrole
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# kinit testuser
Password for testuser: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa caacl-enable hosts_services_caIPAserviceCert
------------------------------------------------
Enabled CA ACL "hosts_services_caIPAserviceCert"
------------------------------------------------

[root@rhel7-1 ~]# ipa caacl-add testcaacl --profilecat=all --hostcat=all --servicecat=all
------------------------
Added CA ACL "testcaacl"
------------------------
  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all

[root@rhel7-1 ~]# ipa caacl-add-user testcaacl --users=testuser
  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all
  Users: testuser
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt
--------------------------------------------------------
Profile configuration stored in file 'caIPAuserCert.txt'
--------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@rhel7-1 ~]# sed  -i '/^profileId=.*$/d' caIPAuserCert.txt

[root@rhel7-1 ~]# sed -i 's/^desc=.*$/desc=test ca profile/' caIPAuserCert.txt

[root@rhel7-1 ~]# ipa certprofile-import caIPAuserCert --file=caIPAuserCert.txt --store=True
Profile description: test ca profile
--------------------------------
Imported profile "caIPAuserCert"
--------------------------------
  Profile ID: caIPAuserCert
  Profile description: test ca profile
  Store issued certificates: TRUE

[root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout testcert.key -out testcert.csr -subj '/CN=testuser'
Generating a 2048 bit RSA private key
............................+++
.....................................................................+++
writing new private key to 'testcert.key'
-----

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit testuser 
Password for testuser: 

#####################################################################
############ Here the user is granted access because CAACL rights are in place to allow the user access.
#####################################################################

[root@rhel7-1 ~]# ipa cert-request testcert.csr --principal=testuser --profile-id=caIPAuserCert
  Certificate: MIIE...truncated...
  Subject: CN=testuser,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Wed Sep 30 15:45:18 2015 UTC
  Not After: Sat Sep 30 15:45:18 2017 UTC
  Fingerprint (MD5): db:2d:50:55:a2:55:ee:49:ec:41:1c:30:07:a0:4e:e6
  Fingerprint (SHA1): c1:54:79:6f:57:76:8e:cc:75:d4:de:f4:30:79:4e:d6:9f:39:04:27
  Serial number: 20
  Serial number (hex): 0x14

########################################

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa caacl-remove-user testcaacl --users=testuser
  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all
---------------------------
Number of members removed 1
---------------------------
[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit testuser
Password for testuser: 

#####################################################################
############  Here the user is denied because CAACL access not set
#####################################################################

[root@rhel7-1 ~]# ipa cert-request testcert.csr --principal=testuser --profile-id=caIPAuserCert
ipa: ERROR: Insufficient access: Principal 'testuser' is not permitted to use CA '.' with profile 'caIPAuserCert' for certificate issuance.


###########################

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa privilege-add-permission testpriv --permissions="Request Certificate ignoring CA ACLs"
  Privilege name: testpriv
  Permissions: Retrieve Certificates from the CA, Request Certificate, Request Certificates from a different host, Get Certificates status from the
               CA, Revoke Certificate, Certificate Remove Hold, Request Certificate with SubjectAltName, Request Certificate ignoring CA ACLs,
               System: Add CA Certificate For Renewal, System: Add Certificate Store Entry, System: Modify CA Certificate, System: Modify CA
               Certificate For Renewal, System: Modify Certificate Store Entry, System: Remove Certificate Store Entry
  Granting privilege to roles: testrole
-----------------------------
Number of permissions added 1
-----------------------------
[root@rhel7-1 ~]# ipa caacl-find
-----------------
2 CA ACLs matched
-----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert

  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all
----------------------------
Number of entries returned 2
----------------------------

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit testuser
Password for testuser: 

#####################################################################
############ Here access is granted again because the permission to ignore CAACL was added to the privilege
#####################################################################

[root@rhel7-1 ~]# ipa cert-request testcert.csr --principal=testuser --profile-id=caIPAuserCert
  Certificate: MIIEB...truncated...
  Subject: CN=testuser,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Wed Sep 30 15:55:28 2015 UTC
  Not After: Sat Sep 30 15:55:28 2017 UTC
  Fingerprint (MD5): 7c:b1:8b:ba:37:f0:46:74:84:e5:a3:61:25:63:4d:f6
  Fingerprint (SHA1): 87:65:b3:b3:af:bb:09:61:62:ee:6b:14:d4:a0:b2:94:af:ef:69:33
  Serial number: 21
  Serial number (hex): 0x15
Comment 8 errata-xmlrpc 2015-11-19 12:04:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html