| Summary: | ipactl: allowed to execute command as non root user | |||
|---|---|---|---|---|
| Product: | [Retired] freeIPA | Reporter: | Jenny Severance <jgalipea> | |
| Component: | ipa-server | Assignee: | Rob Crittenden <rcritten> | |
| Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | |
| Severity: | high | Docs Contact: | ||
| Priority: | low | |||
| Version: | 2.0 | CC: | benl, dpal, jgalipea, mgregg, nkinder, ssorce | |
| Target Milestone: | --- | |||
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | Bug Fix | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 669767 (view as bug list) | Environment: | ||
| Last Closed: | 2011-02-23 20:11:28 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Bug Depends On: | ||||
| Bug Blocks: | 669767 | |||
ipactl simply calls init scripts It doesn't care about who is calling just like init script don't If you are not root you can't cause any service to start or stop anyways Why do you expect ipactl to care when init scripts themselves don't ? IPA is a security server that controls authentication and identity management for the whole company. Restarting it should be a privileged operation. An ordinary user should not be allowed to start or stop any IPA services regardless of how it is implemented under the hood (using init scripts of something else). It is the whole other question how the rest of Linux works and what is allowed regarding init scripts. This is as a security issue and I agree with it. There is whole another question whether we can actually fix it, when and how. There is no security issue here. The user running ipactl has no more privileges running it than running manually all the daemons init scripts. If you can stop ipa_kpasswd with it's script as a user then we need a specific bug on it asap. If you can stop the PKI instance as an unprivileged user the same. But I suspect these findings come from improper testing rather then real vulnerabilities. IMO this bug is INVALID. After doing so as non-root user ... you can no longer start the PKI directory server instance, this results in a having to restore your ipa-server .. this is just a side affect ... expected results are still that the user should recieve an error and the command should not be executed. stopping just dirsrv as non root user ...
$ service dirsrv restart
/etc/init.d/functions: line 51: /dev/stderr: Permission denied
/etc/rc.d/init.d/functions: line 51: /dev/stderr: Permission denied
/etc/sysconfig/dirsrv: line 50: ulimit: open files: cannot modify limit: Operation not permitted
Shutting down dirsrv:
TESTRELM... server not running [FAILED]
*** Error: 1 instance(s) unsuccessfully stopped [FAILED]
Starting dirsrv:
TESTRELM.../etc/init.d/dirsrv: line 147: kill: (23915) - Operation not permitted
not running, but pid file exists
TESTRELM... attempting to start anywayrm: cannot remove `/var/lock/dirsrv/slapd-TESTRELM/server/23915': Permission denied
[14/Jan/2011:08:38:15 -0500] config - The configuration file /etc/dirsrv/slapd-TESTRELM/dse.ldif does not exist
[14/Jan/2011:08:38:15 -0500] config - The backup configuration file /etc/dirsrv/slapd-TESTRELM/dse.ldif.tmp does not exist, either.
[14/Jan/2011:08:38:15 -0500] schema - No schema files were found in the directory /etc/dirsrv/slapd-TESTRELM/schema
[14/Jan/2011:08:38:15 -0500] dse - Please edit the file to correct the reported problems and then restart the server.
[FAILED]
*** Warning: 1 instance(s) failed to start
[jgalipea@jennyv1 ~]$ ps -ef | grep slapd
jgalipea 7151 7087 0 08:38 pts/0 00:00:00 grep --color=auto slapd
admin 23915 1 1 Jan13 ? 00:18:54 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM -i /var/run/dirsrv/slapd-TESTRELM.pid -w /var/run/dirsrv/slapd-TESTRELM.startpid
stopping just ipa_kpasswd ...
$ service ipa_kpasswd stop
/etc/init.d/functions: line 51: /dev/stderr: Permission denied
/etc/rc.d/init.d/functions: line 51: /dev/stderr: Permission denied
rm: cannot remove `/var/run/ipa_kpasswd.pid': Permission deniedLED]
stopping just httpd .....
$ service httpd stop
/etc/init.d/functions: line 51: /dev/stderr: Permission denied
/etc/rc.d/init.d/functions: line 51: /dev/stderr: Permission denied
rm: cannot remove `/var/run/httpd/httpd.pid': Permission deniedLED]
rm: cannot remove `/var/lock/subsys/httpd': Permission denied
rm: cannot remove `/var/run/httpd/httpd.pid': Permission denied
stopping just named ....
$ service named stop
/etc/init.d/functions: line 51: /dev/stderr: Permission denied
/etc/rc.d/init.d/functions: line 51: /dev/stderr: Permission denied
This is a DS issue. Addressed by https://bugzilla.redhat.com/show_bug.cgi?id=671199 |
Description of problem: A non root user is allowed to execute ipactl ... ###################### stopping services ################################# $ ipactl stop Stopping HTTP Service Stopping DNS Service Failed to stop DNS Service Stopping KPASSWD Service Failed to stop KPASSWD Service Stopping KDC Service Failed to stop KDC Service Stopping Directory Service This appears to be successful ... but seems to only really stop the PKI directory server instance and ipa_kpasswd. $ ps xa | grep -v grep |grep dirsrv| grep PKI $ ps xa | grep -v grep |grep dirsrv| grep TESTRELM 4092 ? Sl 0:02 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM -i /var/run/dirsrv/slapd-TESTRELM.pid -w /var/run/dirsrv/slapd-TESTRELM.startpid $ ps xa | grep -v grep |grep httpd 4289 pts/0 S 0:00 /usr/sbin/nss_pcache off /etc/httpd/alias 4291 ? Ssl 0:00 /usr/sbin/httpd 4295 ? Sl 0:01 /usr/sbin/httpd 4296 ? Sl 0:01 /usr/sbin/httpd 4297 ? S 0:00 /usr/sbin/httpd 4298 ? S 0:00 /usr/sbin/httpd 4299 ? S 0:00 /usr/sbin/httpd 4300 ? S 0:00 /usr/sbin/httpd 4301 ? S 0:00 /usr/sbin/httpd 4302 ? S 0:00 /usr/sbin/httpd 4303 ? S 0:00 /usr/sbin/httpd 4304 ? S 0:00 /usr/sbin/httpd 4305 ? S 0:00 /usr/sbin/httpd $ ps xa | grep -v grep |grep ipa_kpasswd 4200 ? S 0:00 ipa_kpasswd $ ps xa | grep -v grep |grep ntpd 3426 ? Ss 0:03 ntpd -u ntp:ntp -p /var/run/ntpd.pid -u ntp:ntp -p /var/run/ntpd.pid -g -x ########################## starting services ############################ $ ipactl start Starting Directory Service Starting KDC Service Starting KPASSWD Service Failed to start KPASSWD Service Shutting down $ ps xa | grep -v grep |grep dirsrv| grep PKI $ ps xa | grep -v grep |grep dirsrv| grep TESTRELM 4092 ? Sl 0:02 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM -i /var/run/dirsrv/slapd-TESTRELM.pid -w /var/run/dirsrv/slapd-TESTRELM.startpid $ ps xa | grep -v grep |grep httpd 4289 pts/0 S 0:00 /usr/sbin/nss_pcache off /etc/httpd/alias 4291 ? Ssl 0:00 /usr/sbin/httpd 4295 ? Sl 0:01 /usr/sbin/httpd 4296 ? Sl 0:01 /usr/sbin/httpd 4297 ? S 0:00 /usr/sbin/httpd 4298 ? S 0:00 /usr/sbin/httpd 4299 ? S 0:00 /usr/sbin/httpd 4300 ? S 0:00 /usr/sbin/httpd 4301 ? S 0:00 /usr/sbin/httpd 4302 ? S 0:00 /usr/sbin/httpd 4303 ? S 0:00 /usr/sbin/httpd 4304 ? S 0:00 /usr/sbin/httpd 4305 ? S 0:00 /usr/sbin/httpd $ ps xa | grep -v grep |grep ipa_kpasswd 4200 ? S 0:00 ipa_kpasswd $ ps xa | grep -v grep |grep ntpd 3426 ? Ss 0:03 ntpd -u ntp:ntp -p /var/run/ntpd.pid -u ntp:ntp -p /var/run/ntpd.pid -g -x Now switch back to root and try to remedy the situation ... # ipactl stop Stopping HTTP Service Stopping DNS Service Stopping KPASSWD Service Stopping KDC Service Stopping Directory Service [root@jennyv1 ipa-ctl]# ipactl start Starting Directory Service Error retrieving list of services {'desc': "Can't contact LDAP server"} Is IPA installed ? Failed to read data from Directory Service Shutting down # ps xa | grep -v grep |grep PKI # ps xa | grep -v grep |grep TESTRELM 4092 ? Sl 0:02 /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-TESTRELM -i /var/run/dirsrv/slapd-TESTRELM.pid -w /var/run/dirsrv/slapd-TESTRELM.startpid # ps xa | grep -v grep |grep httpd # ps xa | grep -v grep |grep ipa_kpasswd # ps xa | grep -v grep |grep ntpd 3426 ? Ss 0:03 ntpd -u ntp:ntp -p /var/run/ntpd.pid -u ntp:ntp -p /var/run/ntpd.pid -g -x Nothing was started .. or restarted as TESTRELM directory service instance and ntp PIDs remain unchanged. Can no longer start services. Version-Release number of selected component (if applicable): ipa-server-2.0-0.2011011204git380fed3.fc14.i686 How reproducible: always Steps to Reproduce: 1. see description 2. 3. Actual results: install hosed - can no longer start services Expected results: non-root user should be immediately denied trying to execute ipactl Additional info: