Bug 895710

Summary: ipa group-mod setattr allows renaming of admins group - setattr on cn
Product: Red Hat Enterprise Linux 7 Reporter: Jenny Severance <jgalipea>
Component: ipaAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: IDM QE LIST <seceng-idm-qe-list>
Severity: low Docs Contact:
Priority: medium    
Version: 7.0CC: arubin, mkosek, nsoman, xdong
Target Milestone: rc   
Target Release: 7.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipa-3.2.1-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 12:09:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jenny Severance 2013-01-15 20:09:16 UTC 
Description of problem:

although --rename is no longer allowed on the admins group ..

# ipa group-show --all --raw admins
  dn: cn=admins,cn=groups,cn=accounts,dc=testrelm,dc=com


you can still setattr on cn and then no longer find, show or modify the admins group


# ipa group-mod --setattr="cn=Administrators,cn=users,cn=accounts,dc=testrelm,dc=com" admins
-----------------------
Modified group "admins"
-----------------------
  Group name: administrators,cn=users,cn=accounts,dc=testrelm,dc=com
  Description: Account administrators group
  GID: 1057800000
  Member users: admin


ldap group entry after mod command 

# administrators\2Ccn\3Dusers\2Ccn\3Daccounts\2Cdc\3Dtestrelm\2Cdc\3Dcom, gro
 ups, accounts, testrelm.com
dn: cn=administrators\2Ccn\3Dusers\2Ccn\3Daccounts\2Cdc\3Dtestrelm\2Cdc\3Dcom,
 cn=groups,cn=accounts,dc=testrelm,dc=com
objectClass: top
objectClass: groupofnames
objectClass: posixgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: nestedGroup
description: Account administrators group
gidNumber: 1057800000
member: uid=admin,cn=users,cn=accounts,dc=testrelm,dc=com
ipaUniqueID: cd89534c-5f48-11e2-be06-00215e20311c
cn: administrators,cn=users,cn=accounts,dc=testrelm,dc=com


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-21.el6

How reproducible:
always

Steps to Reproduce:
1.
2.
3.
  
Actual results:
admin group renamed

Expected results:
error message stating it is not allowed

Additional info:
Comment 1 Dmitri Pal 2013-01-16 00:43:07 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/3354
Comment 3 Rob Crittenden 2013-02-19 21:58:13 UTC 
Fixed upstream.

master: 5b64cde92a84c2e8ad2f99fd139fa5d13598b096

ipa-3-0: 9c50d6dbfc8c3080201583ac9dedd07139b247c0
Comment 4 Xiyang Dong 2013-08-08 13:45:26 UTC 
Verified.

Version : ipa-server-3.2.2-1.el7.x86_64


Automated Test Results :

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-group-bugzillas-004 bz895710 group-mod setattr allows renaming of admins group - setattr on cn
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: check admins dn
:: [   LOG    ] :: Executing: ipa group-mod --setattr=cn=Administrators,cn=users,cn=accounts,dc=testrelm,dc=com admins
:: [   LOG    ] :: "ipa group-mod --setattr=cn=Administrators,cn=users,cn=accounts,dc=testrelm,dc=com admins" failed as expected.
:: [   PASS   ] :: Error message as expected: ipa: ERROR: group admins cannot be deleted/modified: Cannot be renamed
:: [   PASS   ] :: Verify expected error message.
:: [   LOG    ] :: Duration: 3s
:: [   LOG    ] :: Assertions: 3 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-group-bugzillas-004 bz895710 group-mod setattr allows renaming of admins group - setattr on cn
Comment 5 Ludek Smid 2014-06-13 12:09:34 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.