1250145 – Add permission for user to bypass caacl enforcement

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1250145 - Add permission for user to bypass caacl enforcement

Summary: Add permission for user to bypass caacl enforcement

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	IPA Maintainers
QA Contact:	Namita Soman
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2015-08-04 15:19 UTC by Jan Cholasta
Modified:	2015-11-19 12:04 UTC (History)
CC List:	4 users (show)
Fixed In Version:	ipa-4.2.0-5.el7
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-11-19 12:04:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2015:2362	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2015-11-19 10:40:46 UTC

Description Jan Cholasta 2015-08-04 15:19:34 UTC

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/5099

Currently, even if a principal has permission to write the userCertificate
attribute of principal(s), cert-request will deny certificate issuance unless
there is a caacl rule allowing it.  This affects even admin.

Add a permission that suppresses caacl enforcement in cert-request, of which
admin is a member.

Discussion on freeipa-devel: https://www.redhat.com/archives/freeipa-devel/2015-July/msg00110.html

Comment 1 Martin Bašti 2015-08-14 12:03:15 UTC

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/6fa14fd21e664925268d80a2263c556b2bc35139
ipa-4-2:
https://fedorahosted.org/freeipa/changeset/ef8f431c93b5587247eeb7de9e74d15e5fc6f616

Comment 3 Scott Poore 2015-09-29 15:46:57 UTC

How can I verify this?

Does this cover verification?

ipa privilege-show "Certificate Administrators"

ipa permission-show "Request Certificate ignoring CA ACLs"

ipa caacl-disable hosts_services_caIPAserviceCert

certutil -R -d /etc/pki/nssdb/ -s "CN=$(hostname)" -a -o /root/bzsvc1.csr -v 12 -8 $(hostname)

ipa cert-request /root/bzsvc1.csr --profile-id=caIPAserviceCert --principal=BZSVC1/$(hostname)

How can I confirm that this doesn't allow anyone to do this now?  Is it possible to add a new user and give them permissions that would allow them to create a service but not allow them to ignore the CAACL restrictions?






[root@rhel7-1 ~]# ipa privilege-show --raw --all "Certificate Administrators"
  dn: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=example,dc=com
  cn: Certificate Administrators
  description: Certificate Administrators
  memberof: cn=Retrieve Certificates from the CA,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificate,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificates from a different host,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Get Certificates status from the CA,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Revoke Certificate,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Certificate Remove Hold,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificate with SubjectAltName,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Add CA Certificate For Renewal,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Add Certificate Store Entry,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Modify CA Certificate,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Modify CA Certificate For Renewal,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Modify Certificate Store Entry,cn=permissions,cn=pbac,dc=example,dc=com
  memberof: cn=System: Remove Certificate Store Entry,cn=permissions,cn=pbac,dc=example,dc=com
  objectClass: top
  objectClass: groupofnames
  objectClass: nestedgroup


[root@rhel7-1 ~]# ipa permission-show --raw --all "Request Certificate ignoring CA ACLs"
  dn: cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,dc=example,dc=com
  cn: Request Certificate ignoring CA ACLs
  ipapermright: write
  ipapermincludedattr: objectclass
  ipapermbindruletype: permission
  ipapermlocation: dc=example,dc=com
  ipapermtarget: cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=example,dc=com
  member: cn=Certificate Administrators,cn=privileges,cn=pbac,dc=example,dc=com
  aci: (targetattr = "objectclass")(target = "ldap:///cn=request certificate ignore caacl,cn=virtual operations,cn=etc,dc=example,dc=com" )(version 3.0; acl "permission:Request Certificate ignoring CA ACLs"; allow (write) groupdn = "ldap:///cn=Request Certificate ignoring CA ACLs,cn=permissions,cn=pbac,dc=example,dc=com";)
  objectclass: ipapermission
  objectclass: top
  objectclass: groupofnames

[root@rhel7-1 ~]# ipa caacl-find
----------------
1 CA ACL matched
----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: FALSE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert
----------------------------
Number of entries returned 1
----------------------------

[root@rhel7-1 ~]# certutil -R -d /etc/pki/nssdb/ -s "CN=$(hostname)" -a -o /root/bzsvc1.csr -v 12 -8 $(hostname)

A random seed must be generated that will be used in the
creation of your key.  One of the easiest ways to create a
random seed is to use the timing of keystrokes on a keyboard.

To begin, type keys on the keyboard until this progress meter
is full.  DO NOT USE THE AUTOREPEAT FUNCTION ON YOUR KEYBOARD!


Continue typing until the progress meter is full:

|************************************************************|

Finished.  Press enter to continue: 


Generating key.  This may take a few moments...

[root@rhel7-1 ~]# ipa cert-request /root/bzsvc1.csr --profile-id=caIPAserviceCert --principal=BZSVC1/rhel7-1.example.com
  Certificate: MIIEMTCCAxmgAwIBAgIBDjANBgkqhkiG9w0BAQsFADA2MRQwEgYDVQQKDAtFWEFNUExFLkNPTTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE1MDkyOTE1MzI1NFoXDTE3MDkyOTE1MzI1NFowNDEUMBIGA1UECgwLRVhBTVBMRS5DT00xHDAaBgNVBAMME3JoZWw3LTEuZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDNxHE1tVneUa4T3eJ2Jn/atTcY0U/7nyFsr8fUwGbGbt5zCyJaSBTIpgEFwtZpCT77G4sidcN9NWXSKucv7WDyzqSTf9KQ4LH2KgO0XRZ1SblJ+WDui6NMBgrnJxneYyQ3tV/KqLN/7PmSyT2uExCdlFBCyMmN01aBr1xf162VgxbbVAQTJLgOJuBXTUywLw/GODnHBpl5dkoO1Enl6QYvmiWqniqr2qb9fggQ+cDt3EwtYCrPB5XuABivl6lUSFHUZGDnAOLzV840Iewk/4Bs/64NhMm48jsBQAOJSpmtXNuM9x+F/pHsUs4II4JyGjEHBAJSgUrNHNPK3Sitf0RhAgMBAAGjggFKMIIBRjAfBgNVHSMEGDAWgBTCs1rAAeNGsmySibCItabACy0ZTjA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMHYGA1UdHwRvMG0wa6AzoDGGL2h0dHA6Ly9pcGEtY2EuZXhhbXBsZS5jb20vaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRkuDi19+JVFP/e9pCxbKBOcfFz8TAeBgNVHREEFzAVghNyaGVsNy0xLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQCHHdMf7kw6phmUzuYu0THDkMtO1tpXEJoXqjgR4mbtD4uWTlCFcy2zfuRgsr9+LfCKZLZFrRDUkiHdfsHH16HRO+6hjBWA3xw6DVtp2/9W/QVFz6I12P9WGJ6EQQdP1Q17Q6ESRyDA/Dl8rYfyM9DPLNopthBdghQF7rTgRLAIePeEJfMv8Vj6vxWgKQrw8v5QVk1usrrBxYSi7TwkObEddS+FjDZ96kaSDq6rPOUUkdTfG7/fs7Q3Pkz0y58Qps0UFjhRTeBiVLSteL+rRP3AhgGJ87HnKIVOQ+OW5kC/18IfF9WvMWk/j8vBjduwJwGt9661VDwx6IsqADaiNz83
  Subject: CN=rhel7-1.example.com,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Tue Sep 29 15:32:54 2015 UTC
  Not After: Fri Sep 29 15:32:54 2017 UTC
  Fingerprint (MD5): cc:98:f5:3a:d5:3d:bd:6f:2f:4f:87:a2:9f:fe:f7:dd
  Fingerprint (SHA1): 22:ed:6b:92:fd:7a:28:79:19:66:a7:55:e8:71:18:6e:b7:7c:9a:d9
  Serial number: 14
  Serial number (hex): 0xE

Comment 4 Martin Bašti 2015-09-29 16:32:24 UTC

Hello,

you can add a new user that should not be allowed to do anything with certificates.

Then you can create new privilege from Certificate Admins without "Request Certificate ignoring CA ACLs" permission. The user should be able to do operations allowed by  CA ACL, when this privilege is added to him.

Comment 5 Scott Poore 2015-09-30 02:51:58 UTC

Martin,

Is there an easy way to clone the privilege or do I have to manually create a new one without that permission?

Thanks,
Scott

Comment 6 Martin Bašti 2015-09-30 08:31:54 UTC

IMO there is no way to copy privileges.

You have to create a new privilege manually.

Comment 7 Scott Poore 2015-09-30 16:19:15 UTC

Verified.

Version ::

ipa-server-4.2.0-11.el7.x86_64

Results ::

[root@rhel7-1 ~]# ipa privilege-add testpriv
--------------------------
Added privilege "testpriv"
--------------------------

[root@rhel7-1 ~]# OLD_IFS="$IFS"

[root@rhel7-1 ~]# IFS="
> "

[root@rhel7-1 ~]# for perm in $(ipa privilege-show --all --raw "Certificate Administrators" |grep -i memberof|cut -f2 -d=|cut -f1 -d,|grep -v "Request Certificate ignoring CA ACLs"); do ipa privilege-add-permission testpriv --permissions="$perm"; done
...truncated....
  Privilege name: testpriv
  Permissions: Retrieve Certificates from the CA, Request Certificate, Request Certificates from a
               different host, Get Certificates status from the CA, Revoke Certificate, Certificate
               Remove Hold, Request Certificate with SubjectAltName, System: Add CA Certificate For
               Renewal, System: Add Certificate Store Entry, System: Modify CA Certificate, System:
               Modify CA Certificate For Renewal, System: Modify Certificate Store Entry, System:
               Remove Certificate Store Entry
-----------------------------
Number of permissions added 1
-----------------------------

[root@rhel7-1 ~]# IFS="$OLD_IFS"

[root@rhel7-1 ~]# ipa role-add testrole
---------------------
Added role "testrole"
---------------------
  Role name: testrole

[root@rhel7-1 ~]# ipa role-add-privilege testrole --privileges=testpriv
  Role name: testrole
  Privileges: testpriv
----------------------------
Number of privileges added 1
----------------------------

[root@rhel7-1 ~]# ipa group-add testgroup
-----------------------
Added group "testgroup"
-----------------------
  Group name: testgroup
  GID: 1958800012

[root@rhel7-1 ~]# ipa user-add testuser --first=f --last=l --password
Password: 
Enter Password again to verify: 
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Kerberos principal: testuser
  Email address: testuser
  UID: 1958800013
  GID: 1958800013
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@rhel7-1 ~]# ipa role-add-member testrole --groups=testgroup
  Role name: testrole
  Member groups: testgroup
  Privileges: testpriv
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# ipa group-add-member testgroup --users=testuser
  Group name: testgroup
  GID: 1958800012
  Member users: testuser
  Roles: testrole
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# kinit testuser
Password for testuser: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa caacl-enable hosts_services_caIPAserviceCert
------------------------------------------------
Enabled CA ACL "hosts_services_caIPAserviceCert"
------------------------------------------------

[root@rhel7-1 ~]# ipa caacl-add testcaacl --profilecat=all --hostcat=all --servicecat=all
------------------------
Added CA ACL "testcaacl"
------------------------
  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all

[root@rhel7-1 ~]# ipa caacl-add-user testcaacl --users=testuser
  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all
  Users: testuser
-------------------------
Number of members added 1
-------------------------

[root@rhel7-1 ~]# ipa certprofile-show caIPAserviceCert --out=caIPAuserCert.txt
--------------------------------------------------------
Profile configuration stored in file 'caIPAuserCert.txt'
--------------------------------------------------------
  Profile ID: caIPAserviceCert
  Profile description: Standard profile for network services
  Store issued certificates: TRUE

[root@rhel7-1 ~]# sed  -i '/^profileId=.*$/d' caIPAuserCert.txt

[root@rhel7-1 ~]# sed -i 's/^desc=.*$/desc=test ca profile/' caIPAuserCert.txt

[root@rhel7-1 ~]# ipa certprofile-import caIPAuserCert --file=caIPAuserCert.txt --store=True
Profile description: test ca profile
--------------------------------
Imported profile "caIPAuserCert"
--------------------------------
  Profile ID: caIPAuserCert
  Profile description: test ca profile
  Store issued certificates: TRUE

[root@rhel7-1 ~]# openssl req -new -newkey rsa:2048 -days 365 -nodes -keyout testcert.key -out testcert.csr -subj '/CN=testuser'
Generating a 2048 bit RSA private key
............................+++
.....................................................................+++
writing new private key to 'testcert.key'
-----

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit testuser 
Password for testuser: 

#####################################################################
############ Here the user is granted access because CAACL rights are in place to allow the user access.
#####################################################################

[root@rhel7-1 ~]# ipa cert-request testcert.csr --principal=testuser --profile-id=caIPAuserCert
  Certificate: MIIE...truncated...
  Subject: CN=testuser,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Wed Sep 30 15:45:18 2015 UTC
  Not After: Sat Sep 30 15:45:18 2017 UTC
  Fingerprint (MD5): db:2d:50:55:a2:55:ee:49:ec:41:1c:30:07:a0:4e:e6
  Fingerprint (SHA1): c1:54:79:6f:57:76:8e:cc:75:d4:de:f4:30:79:4e:d6:9f:39:04:27
  Serial number: 20
  Serial number (hex): 0x14

########################################

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa caacl-remove-user testcaacl --users=testuser
  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all
---------------------------
Number of members removed 1
---------------------------
[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit testuser
Password for testuser: 

#####################################################################
############  Here the user is denied because CAACL access not set
#####################################################################

[root@rhel7-1 ~]# ipa cert-request testcert.csr --principal=testuser --profile-id=caIPAuserCert
ipa: ERROR: Insufficient access: Principal 'testuser' is not permitted to use CA '.' with profile 'caIPAuserCert' for certificate issuance.


###########################

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit admin
Password for admin: 

[root@rhel7-1 ~]# ipa privilege-add-permission testpriv --permissions="Request Certificate ignoring CA ACLs"
  Privilege name: testpriv
  Permissions: Retrieve Certificates from the CA, Request Certificate, Request Certificates from a different host, Get Certificates status from the
               CA, Revoke Certificate, Certificate Remove Hold, Request Certificate with SubjectAltName, Request Certificate ignoring CA ACLs,
               System: Add CA Certificate For Renewal, System: Add Certificate Store Entry, System: Modify CA Certificate, System: Modify CA
               Certificate For Renewal, System: Modify Certificate Store Entry, System: Remove Certificate Store Entry
  Granting privilege to roles: testrole
-----------------------------
Number of permissions added 1
-----------------------------
[root@rhel7-1 ~]# ipa caacl-find
-----------------
2 CA ACLs matched
-----------------
  ACL name: hosts_services_caIPAserviceCert
  Enabled: TRUE
  Host category: all
  Service category: all
  Profiles: caIPAserviceCert

  ACL name: testcaacl
  Enabled: TRUE
  Profile category: all
  Host category: all
  Service category: all
----------------------------
Number of entries returned 2
----------------------------

[root@rhel7-1 ~]# kdestroy -A

[root@rhel7-1 ~]# kinit testuser
Password for testuser: 

#####################################################################
############ Here access is granted again because the permission to ignore CAACL was added to the privilege
#####################################################################

[root@rhel7-1 ~]# ipa cert-request testcert.csr --principal=testuser --profile-id=caIPAuserCert
  Certificate: MIIEB...truncated...
  Subject: CN=testuser,O=EXAMPLE.COM
  Issuer: CN=Certificate Authority,O=EXAMPLE.COM
  Not Before: Wed Sep 30 15:55:28 2015 UTC
  Not After: Sat Sep 30 15:55:28 2017 UTC
  Fingerprint (MD5): 7c:b1:8b:ba:37:f0:46:74:84:e5:a3:61:25:63:4d:f6
  Fingerprint (SHA1): 87:65:b3:b3:af:bb:09:61:62:ee:6b:14:d4:a0:b2:94:af:ef:69:33
  Serial number: 21
  Serial number (hex): 0x15

Comment 8 errata-xmlrpc 2015-11-19 12:04:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2362.html

Note You need to log in before you can comment on or make changes to this bug.