Bug 1338031

Summary: Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege.
Product: Red Hat Enterprise Linux 7 Reporter: Abhinay Reddy Peddireddy <apeddire>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED ERRATA QA Contact: Kaleem <ksiddiqu>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.2CC: mbasti, pvoborni, rcritten, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: ipa-4.4.0-0.el7.1.alpha1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 05:54:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Abhinay Reddy Peddireddy 2016-05-20 19:28:44 UTC 
Description of problem:

Not able to edit the employeenumber,email,departnumber attributes as a user which is added to the role having the "User Administrators" privilege. 

Getting the error like below : 

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.


Steps to Reproduce :

1. Create an user in IPA with the kerberos principal of admin.   
  
  # kinit admin 

  # ipa user-add abhinayreddy --password 

2. Create a new role in IPA.  

   # ipa role-add usermodifier
  
3. Add "User Administrators" privilege to the new role created. 
   
   # ipa role-add-privilege --privileges="User Administrators" usermodifier

4. Add new user created as a member of the role. 

   # ipa role-add-member --users=abhinayreddy usermodifier

5. Get the kerberos principal for the user "abhinayreddy". 

   # kinit abhinayreddy 

6. Try to modify the employeenumber or email or departnumber of the user "ipauser" 

   # ipa user-mod --employeenumber=123 ipauser

   # ipa user-mod --departnumbernumber=12345 ipauser

   # ipa user-mod --email=rd ipauser


Actual results:

Getting below error - 

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'departmentNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'mail' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.



Expected results:

User "abhinayreddy" should be able to modify the employeenumber,email and departnumber attributes of the user "ipauser". 


# ipa user-mod --employeenumber=123 ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Employee Number: 123
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --departnumber=122 ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Department Number: 122
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --email=ipauser ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


Additional info:

May be this is helpful : 

I can see that there are no write permission defined for these attributes in permissions of Modify Users. 


# System: Modify Users, permissions, pbac, gsslab.pnq.redhat.com
dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=gsslab,dc=pnq,dc=redhat,
 dc=com
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Users
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=gsslab,dc=pnq,dc=redha
 t,dc=com
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=gsslab,dc
 =pnq,dc=redhat,dc=com
ipaPermDefaultAttr: telephonenumber
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: labeleduri
ipaPermDefaultAttr: manager
ipaPermDefaultAttr: street
ipaPermDefaultAttr: displayname
ipaPermDefaultAttr: homephone
ipaPermDefaultAttr: title
ipaPermDefaultAttr: facsimiletelephonenumber
ipaPermDefaultAttr: loginshell
ipaPermDefaultAttr: employeetype
ipaPermDefaultAttr: description
ipaPermDefaultAttr: businesscategory
ipaPermDefaultAttr: preferredlanguage
ipaPermDefaultAttr: roomnumber
ipaPermDefaultAttr: mepmanagedentry
ipaPermDefaultAttr: carlicense
ipaPermDefaultAttr: postalcode
ipaPermDefaultAttr: givenname
ipaPermDefaultAttr: pager
ipaPermDefaultAttr: seealso
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: inetuserhttpurl
ipaPermDefaultAttr: l
ipaPermDefaultAttr: st
ipaPermDefaultAttr: mobile
ipaPermDefaultAttr: gecos
ipaPermDefaultAttr: sn
ipaPermDefaultAttr: ou
ipaPermDefaultAttr: secretary
ipaPermDefaultAttr: userclass
ipaPermDefaultAttr: initials
ipaPermLocation: cn=users,cn=accounts,dc=redhat,dc=com
Comment 2 Martin Bašti 2016-05-23 07:48:28 UTC 
Hello,

'employeenumber' is not covered by default by privilege you mentioned above.

However it can be added by modifying 'Permission: System: Modify Users'

Please open IPA WebUI (as admin), IPA Server/Role Based Access control/Permissions/'Permission: System: Modify Users'  and mark 'employee number' in effective attributes section.

Same for email, and department number.


Please let me know if provided steps work
Comment 3 Martin Bašti 2016-05-25 13:18:46 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5911
Comment 4 Abhinay Reddy Peddireddy 2016-05-26 14:32:54 UTC 
Check-marking those attributes in the effective users section of the write privilege worked fine as expected.
Comment 5 Martin Bašti 2016-05-29 12:16:16 UTC 
Great, defaults will be fixed in 7.3

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1ce63e6193701679f539f7c83ddee9f65056b806
Comment 7 Scott Poore 2016-09-09 23:59:27 UTC 
Verified.

Version ::

ipa-server-4.4.0-9.el7.x86_64

Results ::

[root@master ~]# ipa user-add testadmin --first=f --last=l
----------------------
Added user "testadmin"
----------------------
  User login: testadmin
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testadmin
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testadmin
  Principal alias: testadmin
  Email address: testadmin
  UID: 989000013
  GID: 989000013
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa passwd testadmin
New Password: 
Enter New Password again to verify: 
-----------------------------------------
Changed password for "testadmin"
-----------------------------------------

[root@master ~]# kinit testadmin
Password for testadmin: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@master ~]# kdestroy -A

[root@master ~]# kinit admin
Password for admin: 

[root@master ~]# ipa role-add testrole
---------------------
Added role "testrole"
---------------------
  Role name: testrole

[root@master ~]# ipa role-add-privilege --privileges="User Administrators" testrole
  Role name: testrole
  Privileges: User Administrators
----------------------------
Number of privileges added 1
----------------------------

[root@master ~]# ipa role-add-member --users=testadmin testrole
  Role name: testrole
  Member users: testadmin
  Privileges: User Administrators
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa user-add testuser --first=f --last=l
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# kdestroy -A

[root@master ~]# kinit testadmin
Password for testadmin: 

[root@master ~]# ipa user-mod testuser --employeenumber=123
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Employee Number: 123
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --departmentnumber=122
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Department Number: 122
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --email=testuser
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --manager=admin
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser
  Principal alias: testuser
  Email address: testuser
  UID: 989000014
  GID: 989000014
  Manager: admin
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False
Comment 9 errata-xmlrpc 2016-11-04 05:54:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html