Bug 634301

Summary: ipa host-mod --setattr should not allow enrolledBy to be changed
Product: [Retired] freeIPA Reporter: Jenny Severance <jgalipea>
Component: ipa-admintoolsAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Chandrasekar Kannan <ckannan>
Severity: high Docs Contact:
Priority: low    
Version: 2.0CC: benl, dpal, jgalipea
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: freeipa-2.1.3-5.fc16 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 716287 (view as bug list) Environment:
Last Closed: 2012-03-28 09:36:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 716287    

Description Jenny Severance 2010-09-15 18:38:16 UTC 
Description of problem:
ipa host-mod --setattr on enrolledBy attribute is successful.  This should not be allowed.

Version-Release number of selected component (if applicable):

ipa-server-1.91-0.2010080617git830910d.fc12.i686
ipa-admintools-1.91-0.2010080617git830910d.fc12.i686


How reproducible:
always

Steps to Reproduce:
1. add a new host
  # ipa host-add newhost.domain.com
2. enrolledBy value should be said you your current admin id - verify
  # ipa host-show --all newhost.domain.com
3. change the enrolledBy value
  # "ipa host-mod --setattr enrolledBy=\"uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com\" newhost.domain.com
4. check value of enrolledBy 
 # ipa host-show --all newhost.domain.com

Actual results:
successful

Expected results:
error message stating the operation is not allowed

Additional info:
Comment 1 Rob Crittenden 2010-09-27 19:03:38 UTC 
Will control this via the framework, not an ACI, so it will still be writable by an LDAP write. This will prevent casual overwriting.

This is difficult to fix because a host can be unenrolled and re-enrolled, so the attribute needs to be writable under some conditions.

https://fedorahosted.org/freeipa/ticket/302
Comment 2 Dmitri Pal 2010-12-10 22:51:47 UTC 
master: 9726941e3d8cfd653034af09d34986b9f9dfdadf
Comment 3 Jenny Severance 2011-06-10 20:19:54 UTC 
verified

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --addattr.
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.0.0                             Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Wed 20 Apr 2011 09:57:13 AM EDT
Install Date: Thu 19 May 2011 12:47:52 PM EDT      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.0.0-23.el6.src.rpm
Size        : 2565882                          License: GPLv3+
Signature   : RSA/8, Thu 21 Apr 2011 03:48:25 PM EDT, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server
Comment 4 Jenny Severance 2011-06-23 16:54:41 UTC 
Regression

Version:

ipa-server.i686 0:2.0.99-1.20110622T0510zgit3a36ece.el6


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: ERROR: Expected "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" to fail.
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: no modifications to be performed  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 0 good, 2 bad
:: [   FAIL   ] :: RESULT: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-22:  Negative - setattr and addattr on enrolledBy - invalid syntax
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 13s
:: [   LOG    ] :: Assertions: 0 good, 2 bad
:: [   FAIL   ] :: RESULT: ipa-host-cli-22:  Negative - setattr and addattr on enrolledBy - invalid syntax
Comment 5 Rob Crittenden 2011-07-15 14:12:58 UTC 
master: 37e3bf2a6096ea18f46501bf5f2a51c55e829595