Bug 718250
Summary: | Remove DENY rules from the HBAC access provider | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Stephen Gallagher <sgallagh> | |
Component: | sssd | Assignee: | Stephen Gallagher <sgallagh> | |
Status: | CLOSED ERRATA | QA Contact: | Chandrasekar Kannan <ckannan> | |
Severity: | unspecified | Docs Contact: | ||
Priority: | high | |||
Version: | 6.1 | CC: | benl, dpal, grajaiya, jgalipea, jhrozek, prc | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | sssd-1.5.1-46.el6 | Doc Type: | Bug Fix | |
Doc Text: |
Cause: The IPA server deprecated DENY rules of the Host Based Access Control provider
Consequence: The SSSD client needs a way to deal with DENY rules that are already in the wild
Fix: A new option ipa_hbac_treat_deny_as was added. It defaults to DENY_ALL which means that any DENY rule in the whole ruleset would deny access no matter what the actual rule is. The other option is to set it to IGNORE which would make SSSD just skip the DENY rules.
Result: The HBAC access provider was updated to reflect server-side IPA changes. It should be noted that the IGNORE setting is potentially dangerous as it, by ignoring the DENY rules altogether, may allow access to users who are not intended to be allowed.
|
Story Points: | --- | |
Clone Of: | ||||
: | 748854 (view as bug list) | Environment: | ||
Last Closed: | 2011-12-06 16:38:57 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 748854 |
Description
Stephen Gallagher
2011-07-01 15:05:50 UTC
Case 1:- for users with ipa_hbac_treat_deny_as = DENY_ALL Server: # ipa hbacrule-find rule1 ------------------- 1 HBAC rule matched ------------------- Rule name: rule1 Rule type: deny Enabled: TRUE Users: shanks Hosts: ironhide.lab.eng.pnq.redhat.com Source hosts: kungfupanda.lab.eng.pnq.redhat.com, ironhide.lab.eng.pnq.redhat.com Client: [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, kungfupanda.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 [root@ironhide ~]# ssh -l shanks $HOSTNAME shanks.eng.pnq.redhat.com's password: Connection closed by 10.65.201.65 [root@ironhide ~]# [root@ironhide ~]# ssh -l shanks2 $HOSTNAME shanks2.eng.pnq.redhat.com's password: Connection closed by 10.65.201.65 [root@ironhide ~]# Case 2:- for users with ipa_hbac_treat_deny_as = IGNORE Server: # ipa hbacrule-find rule1 ------------------- 1 HBAC rule matched ------------------- Rule name: rule1 Rule type: deny Enabled: TRUE Users: shanks Hosts: ironhide.lab.eng.pnq.redhat.com Source hosts: kungfupanda.lab.eng.pnq.redhat.com, ironhide.lab.eng.pnq.redhat.com Client: [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, kungfupanda.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 ipa_hbac_treat_deny_as = ignore [root@ironhide ~]# ssh -l shanks $HOSTNAME shanks.eng.pnq.redhat.com's password: Last login: Mon Oct 3 10:52:45 2011 from ironhide.lab.eng.pnq.redhat.com -sh-4.1$ Case 3:- for groups with ipa_hbac_treat_deny_as = DENY_ALL Server: # ipa hbacrule-find rule1 ------------------- 1 HBAC rule matched ------------------- Rule name: rule1 Rule type: deny Enabled: TRUE Groups: ipausers Hosts: ironhide.lab.eng.pnq.redhat.com Source hosts: ironhide.lab.eng.pnq.redhat.com, kungfupanda.lab.eng.pnq.redhat.com # ipa group-show ipausers Group name: ipausers Description: Default group for all users GID: 1116200001 Member users: shanks, shanks2 # ipa user-show shanks3 User login: shanks3 First name: s Last name: 3 Home directory: /home/shanks3 Login shell: /bin/sh Account disabled: False Client: [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, kungfupanda.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 [root@ironhide ~]# ssh -l shanks $HOSTNAME shanks.eng.pnq.redhat.com's password: Connection closed by 10.65.201.65 [root@ironhide ~]# ssh -l shanks2 $HOSTNAME shanks2.eng.pnq.redhat.com's password: Connection closed by 10.65.201.65 [root@ironhide ~]# ssh -l shanks3 $HOSTNAME shanks3.eng.pnq.redhat.com's password: Connection closed by 10.65.201.65 Case 4:- for groups with ipa_hbac_treat_deny_as = IGNORE Server: # ipa hbacrule-find rule1 ------------------- 1 HBAC rule matched ------------------- Rule name: rule1 Rule type: deny Enabled: TRUE Groups: ipausers Hosts: ironhide.lab.eng.pnq.redhat.com Source hosts: ironhide.lab.eng.pnq.redhat.com, kungfupanda.lab.eng.pnq.redhat.com Client: [domain/lab.eng.pnq.redhat.com] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = lab.eng.pnq.redhat.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_server = _srv_, kungfupanda.lab.eng.pnq.redhat.com ldap_tls_cacert = /etc/ipa/ca.crt debug_level = 9 ipa_hbac_treat_deny_as = ignore [root@ironhide ~]# ssh -l shanks3 $HOSTNAME shanks3.eng.pnq.redhat.com's password: Last login: Mon Oct 3 10:59:03 2011 from ironhide.lab.eng.pnq.redhat.com [root@ironhide ~]# ssh -l shanks $HOSTNAME shanks.eng.pnq.redhat.com's password: Last login: Mon Oct 3 10:52:50 2011 from ironhide.lab.eng.pnq.redhat.com and in domain logs when denied: (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_attrs_to_rule] (7): Processing rule [allow_all] (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_user_attrs_to_rule] (7): Processing users for rule [allow_all] (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_get_category] (5): Category is set to 'all'. (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_service_attrs_to_rule] (7): Processing PAM services for rule [allow_all] (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_get_category] (5): Category is set to 'all'. (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_thost_attrs_to_rule] (7): Processing target hosts for rule [allow_all] (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_get_category] (5): Category is set to 'all'. (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_shost_attrs_to_rule] (7): Processing source hosts for rule [allow_all] (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_get_category] (5): Category is set to 'all'. (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_attrs_to_rule] (7): Processing rule [rule1] (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [hbac_attrs_to_rule] (7): Rule [rule1] is not an ALLOW rule (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [ipa_hbac_evaluate_rules] (1): DENY rules detected. Denying access to all users (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [sdap_id_op_destroy] (9): releasing operation connection (Mon Oct 3 10:57:43 2011) [sssd[be[lab.eng.pnq.redhat.com]]] [be_pam_handler_callback] (4): Backend returned: (0, 6, <NULL>) [Success] Verified. ipa-server-2.0.0-23.el6.x86_64 sssd-1.5.1-53.el6.i686 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: The IPA server deprecated DENY rules of the Host Based Access Control provider Consequence: The SSSD client needs a way to deal with DENY rules that are already in the wild Fix: A new option ipa_hbac_treat_deny_as was added. It defaults to DENY_ALL which means that any DENY rule in the whole ruleset would deny access no matter what the actual rule is. The other option is to set it to IGNORE which would make SSSD just skip the DENY rules. Result: The HBAC access provider was updated to reflect server-side IPA changes. It should be noted that the IGNORE setting is potentially dangerous as it, by ignoring the DENY rules altogether, may allow access to users who are not intended to be allowed. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2011-1529.html |