1108215 – Make Read replication agreements permission less more targeted

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1108215 - Make Read replication agreements permission less more targeted

Summary: Make Read replication agreements permission less more targeted

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Martin Kosek
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:	976382 1153292
Blocks:
TreeView+	depends on / blocked

Reported:	2014-06-11 14:49 UTC by Martin Kosek
Modified:	2015-03-05 10:11 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ipa-4.0.3-1.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-03-05 10:11:43 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2015:0442	0	normal	SHIPPED_LIVE	Moderate: ipa security, bug fix, and enhancement update	2015-03-05 14:50:39 UTC

Description Martin Kosek 2014-06-11 14:49:25 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3829

Current ACI allowing replica admins to read replication agreements is too allowing in terms of cn=config exposure and is also not bound to any permission, thus does not allows users to assign it.

The patch for this would do basically this:
* remove the following aci from both installer and current deployments:
{{{
(targetattr != aci)(version 3.0; aci "replica admins read access"; allow (read, search, compare) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
}}}
* add new permission ACI like this:
{{{
(targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Read Replication Agreements"; allow (read, search, compare) groupdn = "ldap:///cn=Read Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";)
}}}
* make sure that "Replication Administrators" privilege has it assigned the new read permission

Comment 1 Martin Kosek 2014-06-11 15:23:29 UTC

This request is already fixed in upstream FreeIPA project. Please refer to the linked ticket for additional details and related commits.

Comment 2 Namita Soman 2014-06-26 18:51:05 UTC

please add steps to verify

Comment 3 Martin Kosek 2014-06-27 07:55:54 UTC

To reproduce, add privilege 'Replication Administrators' to regular user and see what user can access in cn=config. He should be only able to access mostly the replication agreements, he should not be able to access any settings in cn=config base:

$ kinit admin
$ echo Secret123 | ipa user-add --first Foo --last=Bar fbar --password
$ ipa role-add test --desc test
$ ipa role-add-privilege test --privileges 'Replication Administrators'
$ ipa role-add-member test --users fbar
$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'

$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'
SASL/GSSAPI authentication started
SASL username: fbar
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SNMP, config
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
cn: Sync Request Control

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control

# cn\3Dchangelog, mapping tree, config
dn: cn=cn\3Dchangelog,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: cn=changelog

# dc\3Dmkosek-fedora20\2Cdc\3Dtest, mapping tree, config
dn: cn=dc\3Dmkosek-fedora20\2Cdc\3Dtest,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=mkosek-fedora20,dc=test
cn: "dc=mkosek-fedora20,dc=test"
nsslapd-state: backend
nsslapd-backend: userRoot

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: o=ipaca

# search result
search: 4
result: 0 Success

# numResponses: 7
# numEntries: 6



When you run this test on an unpatched IPA, you will see *much more* access:

$ ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'
SASL/GSSAPI authentication started
SASL username: fbar@UNPATCHED-IPA-TEST
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# config
dn: cn=config
cn: config
objectClass: top
objectClass: extensibleObject
objectClass: nsslapdConfig
nsslapd-backendconfig: cn=config,cn=userRoot,cn=ldbm database,cn=plugins,cn=co
 nfig
nsslapd-backendconfig: cn=config,cn=ipaca,cn=ldbm database,cn=plugins,cn=confi
 g
nsslapd-betype: ldbm database
nsslapd-privatenamespaces: cn=schema
nsslapd-privatenamespaces:
nsslapd-privatenamespaces: cn=monitor
nsslapd-privatenamespaces: cn=config
nsslapd-plugin: cn=Binary Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Bit String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Boolean Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Case Exact String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Case Ignore String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Country String Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Delivery Method Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Distinguished Name Syntax,cn=plugins,cn=config
nsslapd-plugin: cn=Enhanced Guide Syntax,cn=plugins,cn=config
...

Comment 5 Namita Soman 2015-01-23 18:37:25 UTC

Verified using - ipa-server-4.1.0-15.el7.x86_64

# ipa privilege-show "Replication Administrators" --all
  dn: cn=Replication Administrators,cn=privileges,cn=pbac,dc=testrelm,dc=test
  Privilege name: Replication Administrators
  Description: Replication Administrators
  Permissions: Remove Replication Agreements, Modify DNA Range, Add Replication Agreements, Modify
               Replication Agreements, System: Read Replication Agreements
  Granting privilege to roles: test, Security Architect
  objectclass: top, groupofnames, nestedgroup



# ipa user-add three
First name: three
Last name: three
------------------
Added user "three"
------------------
  User login: three
  First name: three
  Last name: three
  Full name: three three
  Display name: three three
  Initials: tt
  Home directory: /home/three
  GECOS: three three
  Login shell: /bin/sh
  Kerberos principal: three
  Email address: three
  UID: 1453400008
  GID: 1453400008
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False


# ipa role-add test --desc test
-----------------
Added role "test"
-----------------
  Role name: test
  Description: test


# ipa role-add-privilege test --privileges 'Replication Administrators'
  Role name: test
  Description: test
  Privileges: Replication Administrators
----------------------------
Number of privileges added 1
----------------------------



# ipa role-add-member test --users three
  Role name: test
  Description: test
  Member users: three
  Privileges: Replication Administrators
-------------------------
Number of members added 1
-------------------------


[root@qeblade6 ipa-dns]# kinit three
Password for three: 


# ldapsearch -h `hostname` -Y GSSAPI -b 'cn=config'
SASL/GSSAPI authentication started
SASL username: three
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# SNMP, config
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on

# 1.3.6.1.4.1.4203.1.9.1.1, features, config
dn: oid=1.3.6.1.4.1.4203.1.9.1.1,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 1.3.6.1.4.1.4203.1.9.1.1
cn: Sync Request Control

# 2.16.840.1.113730.3.4.9, features, config
dn: oid=2.16.840.1.113730.3.4.9,cn=features,cn=config
objectClass: top
objectClass: directoryServerFeature
oid: 2.16.840.1.113730.3.4.9
cn: VLV Request Control

# cn\3Dchangelog, mapping tree, config
dn: cn=cn\3Dchangelog,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: cn=changelog

# dc\3Dtestrelm\2Cdc\3Dtest, mapping tree, config
dn: cn=dc\3Dtestrelm\2Cdc\3Dtest,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: dc=testrelm,dc=test
cn: "dc=testrelm,dc=test"
nsslapd-state: backend
nsslapd-backend: userRoot

# o\3Dipaca, mapping tree, config
dn: cn=o\3Dipaca,cn=mapping tree,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
cn: o=ipaca

# replica, dc\3Dtestrelm\2Cdc\3Dtest, mapping tree, config
dn: cn=replica,cn=dc\3Dtestrelm\2Cdc\3Dtest,cn=mapping tree,cn=config
cn: replica
nsDS5Flags: 1
objectClass: nsds5replica
objectClass: top
objectClass: extensibleobject
nsDS5ReplicaType: 3
nsDS5ReplicaRoot: dc=testrelm,dc=test
nsds5ReplicaLegacyConsumer: off
nsDS5ReplicaId: 4
nsDS5ReplicaBindDN: cn=replication manager,cn=config
nsDS5ReplicaBindDN: krbprincipalname=ldap/mgmt2.testrelm.test,cn
 =services,cn=accounts,dc=testrelm,dc=test
nsState:: BAAAAAAAAAC/i8JUAAAAAAAAAAAAAAAAAgAAAAAAAAADAAAAAAAAAA==
nsDS5ReplicaName: 39122d05-a1e611e4-afdfc7c4-104d6a42
nsds5ReplicaChangeCount: 1634
nsds5replicareapactive: 0

# replica, o\3Dipaca, mapping tree, config
dn: cn=replica,cn=o\3Dipaca,cn=mapping tree,cn=config
objectClass: top
objectClass: nsDS5Replica
objectClass: extensibleobject
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaType: 3
nsDS5ReplicaBindDN: cn=Replication Manager masterAgreement1-mgmt2.testrelm.tes
 t-pki-tomcat,ou=csusers,cn=config
cn: replica
nsDS5ReplicaId: 96
nsDS5Flags: 1
nsState:: YAAAAAAAAABkicJUAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAA==
nsDS5ReplicaName: 8098b905-a1e611e4-afdfc7c4-104d6a42
nsds5ReplicaChangeCount: 171

# masterAgreement1-mgmt2.testrelm.test-pki-tomcat, replica, o\3Dipaca, mappin
 g tree, config
dn: cn=masterAgreement1-mgmt2.testrelm.test-pki-tomcat,cn=replica,cn=o\3Dipaca
 ,cn=mapping tree,cn=config
objectClass: top
objectClass: nsds5replicationagreement
cn: masterAgreement1-mgmt2.testrelm.test-pki-tomcat
nsDS5ReplicaRoot: o=ipaca
nsDS5ReplicaHost: mgmt2.testrelm.test
nsDS5ReplicaPort: 389
nsDS5ReplicaBindDN: cn=Replication Manager cloneAgreement1-mgmt2.testrelm.test
 -pki-tomcat,ou=csusers,cn=config
nsDS5ReplicaBindMethod: Simple
nsDS5ReplicaTransportInfo: TLS
description: masterAgreement1-mgmt2.testrelm.test-pki-tomcat
nsDS5ReplicaCredentials: {DES}bZnLgsOZYoTrmMSptEByLA==
nsds50ruv: {replicageneration} 54c06e13000000600000
nsds50ruv: {replica 97 ldap://mgmt2.testrelm.test:389} 54c06e55000000610000 54
 c06e58000200610000
nsds50ruv: {replica 96 ldap://qeblade6.testrelm.test:389} 54c06e39000000600000
  54c15b5d000000600000
nsruvReplicaLastModified: {replica 97 ldap://mgmt2.testrelm.test:389} 00000000
nsruvReplicaLastModified: {replica 96 ldap://qeblade6.testrelm.test:389} 00000
 000
nsds5replicaLastUpdateStart: 0
nsds5replicaLastUpdateEnd: 0
nsds5replicaChangesSentSinceStartup:
nsds5replicaLastUpdateStatus: -1 Unable to acquire replicaLDAP error: Can't co
 ntact LDAP server
nsds5replicaUpdateInProgress: FALSE
nsds5replicaLastInitStart: 0
nsds5replicaLastInitEnd: 0

# search result
search: 4
result: 0 Success

# numResponses: 10
# numEntries: 9

Comment 7 errata-xmlrpc 2015-03-05 10:11:43 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0442.html

Note You need to log in before you can comment on or make changes to this bug.