Bug 773759

Summary: Administrative Roles given the permission to change a user password should not be able to change user's passwords that are in the Administrators Group
Product: Red Hat Enterprise Linux 6 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: unspecified Docs Contact:
Priority: high    
Version: 6.2CC: mkosek, nsoman
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-2.2.0-3.el6 Doc Type: Bug Fix
Doc Text:
Cause: Non-admin users with an appropriate permission can change other users password. The target group of this permission is however not limited. Consequence: Non-admin user with the permission can change a password of admin user and thus get access to admin account. Fix: The permission was changed to allow password changes for non-admin users only. Result: Non-admin user with a permission to change passwords cannot change a password of admin users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 13:29:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2012-01-12 20:00:33 UTC 
Description of problem:
With IPA and delegated administration, at this time, there is no concept of "scoping" those permissions.  However, the permission "Change a user passwd", needs to by default exclude users in the Administrators group ... or any help desk or User admin can change the administrator's password without being prompted for the existing password.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Add a new user and assign the user a password
2. Assign the new user the helpdesk role that contains "Change a user password" permission
3. kinit as the user
4. change the admin user's password
   ipa passwd admin
  
Actual results:
help desk admin can change passwords of users in Administrators group

Expected results:
Denied being able to change the password

Additional info:
Comment 1 Dmitri Pal 2012-01-17 17:50:24 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2271
Comment 2 Namita Soman 2012-02-14 14:28:49 UTC 
Using ipa-server-2.2.0-101.20120213T0935zgitf93d95f.el6.x86_64, user with helpdesk role can no longer change admin's password. But this user cannot change anybody's password anymore.
Comment 3 Rob Crittenden 2012-02-14 14:33:42 UTC 
Not sure why that would be, no change has been committed yet.
Comment 4 Martin Kosek 2012-02-20 18:44:57 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2416
Comment 5 Martin Kosek 2012-02-20 18:45:46 UTC 
Ticket 2271 fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/ffd39503c1e4c1b7a309953e232d4727551a58c3
ipa-2-2: https://fedorahosted.org/freeipa/changeset/6c222bdd1f4783c1a8a5c2b0b247279e63bd31c6
Comment 6 Martin Kosek 2012-02-23 10:10:01 UTC 
Ticket 2416 fixed upstream as well:
master: https://fedorahosted.org/freeipa/changeset/960baaebf4a1305a38f7cec099f51607e2427d24
ipa-2-2: https://fedorahosted.org/freeipa/changeset/3961aa8603d5c56719ad9c84607b9be278ddabe2
Comment 9 Namita Soman 2012-03-27 12:50:48 UTC 
user with helpdesk role can no longer change admin's password. And this user can change other users' password.

Verified using:
ipa-server.x86_64 0:2.2.0-4.el6

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   LOG    ] :: Executing: ipa role-add-member --users=testuserhelpdesk "helpdesk" --all
:: [   LOG    ] :: Added testuserhelpdesk to helpdesk successfully
:: [   PASS   ] :: Adding member to role helpdesk
:: [   LOG    ] :: kinit as testuserhelpdesk with password Secret123 was successful.
:: [   PASS   ] :: kinit as testuserhelpdesk
:: [   PASS   ] :: Verify error message when testuserhelpdesk updates admin's password (bug 773759)
:: [   PASS   ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_1.log' should contain 'ipa: ERROR: Insufficient access: Insufficient access rights'
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify error message when testuserhelpdesk adds a new user
:: [   PASS   ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_2.log' should contain 'ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'uid=two,cn=users,cn=accounts,dc=testrelm,dc=com'.'
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa user-mod --last="testtest" test
:: [   LOG    ] :: Modifying user test successful.
:: [   PASS   ] :: Verify testuserhelpdesk can modify test's lastname
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify testuserhelpdesk can reset test's password
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759)
Comment 10 Martin Kosek 2012-04-20 10:52:14 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Non-admin users with an appropriate permission can change other users password. The target group of this permission is however not limited.
Consequence: Non-admin user with the permission can change a password of admin user and thus get access to admin account.
Fix: The permission was changed to allow password changes for non-admin users only.
Result: Non-admin user with a permission to change passwords cannot change a password of admin users.
Comment 12 errata-xmlrpc 2012-06-20 13:29:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html