Bug 716287
Summary: | ipa host-mod --setattr should not allow enrolledBy to be changed | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Jenny Severance <jgalipea> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> |
Severity: | high | Docs Contact: | |
Priority: | low | ||
Version: | 6.1 | CC: | benl, dpal, jgalipea, nsoman |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.0-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: When a host is enrolled the user that does the enrollment is stored in the attribute enrolledBy in the host. An administrator was able to change this value using --setattr.
Consequence: This value should be immutable.
Fix: Remove write permissions enrolledBy from the access controls.
Result: The enrolledBy value is no longer writable.
|
Story Points: | --- |
Clone Of: | 634301 | Environment: | |
Last Closed: | 2011-12-06 18:36:26 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 634301 | ||
Bug Blocks: |
Description
Jenny Severance
2011-06-23 20:48:14 UTC
master: 37e3bf2a6096ea18f46501bf5f2a51c55e829595 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When a host is enrolled the user that does the enrollment is stored in the attribute enrolledBy in the host. An administrator was able to change this value using --setattr. Consequence: This value should be immutable. Fix: Remove write permissions enrolledBy from the access controls. Result: The enrolledBy value is no longer writable. Verified using ipa-server.x86_64 0:2.1.3-8.el6 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-21: Negative - setattr and addattr on enrolledBy :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [10:08:05] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:08] :: "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected. :: [10:08:10] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --setattr. :: [10:08:10] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:12] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected. :: [10:08:15] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --addattr. '383ffb8c-fabe-448e-a6ab-28ef493e0582' ipa-host-cli-21 result: PASS metric: 0 Log: /tmp/beakerlib-3497821/journal.txt Info: Searching AVC errors produced since 1320415685.51 (Fri Nov 4 10:08:05 2011) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.fGwZfu : AvcLog: /mnt/testarea/tmp.fGwZfu :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-22: Negative - setattr and addattr on enrolledBy - invalid syntax :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [10:08:17] :: Executing: ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:20] :: "ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm" failed as expected. :: [10:08:22] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --setattr. :: [10:08:22] :: Executing: ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:24] :: "ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm" failed as expected. :: [10:08:27] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --addattr. '83db3557-686c-474a-b9c8-877657f5b9b6' ipa-host-cli-22 result: PASS metric: 0 Log: /tmp/beakerlib-3497821/journal.txt Info: Searching AVC errors produced since 1320415697.39 (Fri Nov 4 10:08:17 2011) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.fGwZfu : AvcLog: /mnt/testarea/tmp.fGwZfu Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |