Bug 1338031 - Insufficient 'write' privilege on some attributes for the members of the role which has "User Administrators" privilege.
Summary: Insufficient 'write' privilege on some attributes for the members of the role...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.2
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-05-20 19:28 UTC by Abhinay Reddy Peddireddy
Modified: 2016-11-04 05:54 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:54:16 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Abhinay Reddy Peddireddy 2016-05-20 19:28:44 UTC
Description of problem:

Not able to edit the employeenumber,email,departnumber attributes as a user which is added to the role having the "User Administrators" privilege. 

Getting the error like below : 

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.


Steps to Reproduce :

1. Create an user in IPA with the kerberos principal of admin.   
  
  # kinit admin 

  # ipa user-add abhinayreddy --password 

2. Create a new role in IPA.  

   # ipa role-add usermodifier
  
3. Add "User Administrators" privilege to the new role created. 
   
   # ipa role-add-privilege --privileges="User Administrators" usermodifier

4. Add new user created as a member of the role. 

   # ipa role-add-member --users=abhinayreddy usermodifier

5. Get the kerberos principal for the user "abhinayreddy". 

   # kinit abhinayreddy 

6. Try to modify the employeenumber or email or departnumber of the user "ipauser" 

   # ipa user-mod --employeenumber=123 ipauser

   # ipa user-mod --departnumbernumber=12345 ipauser

   # ipa user-mod --email=rd@redhat.com ipauser


Actual results:

Getting below error - 

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'employeeNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'departmentNumber' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.

ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'mail' attribute of entry 'uid=ipauser,cn=users,cn=accounts,dc=redhat,dc=com'.



Expected results:

User "abhinayreddy" should be able to modify the employeenumber,email and departnumber attributes of the user "ipauser". 


# ipa user-mod --employeenumber=123 ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser@gsslab.pnq.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Employee Number: 123
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --departnumber=122 ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser@gsslab.pnq.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Department Number: 122
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


# ipa user-mod --email=ipauser@redhat.com ipauser 
----------------------------
Modified user "ipauser"
----------------------------
  User login: ipauser
  First name: ipa
  Last name: user
  Home directory: /home/ipauser
  Login shell: /bin/sh
  Email address: ipauser@gsslab.pnq.redhat.com
  UID: 659600018
  GID: 659600018
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: usermodifier
  Kerberos keys available: True


Additional info:

May be this is helpful : 

I can see that there are no write permission defined for these attributes in permissions of Modify Users. 


# System: Modify Users, permissions, pbac, gsslab.pnq.redhat.com
dn: cn=System: Modify Users,cn=permissions,cn=pbac,dc=gsslab,dc=pnq,dc=redhat,
 dc=com
ipaPermTargetFilter: (objectclass=posixaccount)
ipaPermRight: write
ipaPermBindRuleType: permission
ipaPermissionType: V2
ipaPermissionType: MANAGED
ipaPermissionType: SYSTEM
cn: System: Modify Users
objectClass: ipapermission
objectClass: top
objectClass: groupofnames
objectClass: ipapermissionv2
member: cn=User Administrators,cn=privileges,cn=pbac,dc=gsslab,dc=pnq,dc=redha
 t,dc=com
member: cn=Modify Users and Reset passwords,cn=privileges,cn=pbac,dc=gsslab,dc
 =pnq,dc=redhat,dc=com
ipaPermDefaultAttr: telephonenumber
ipaPermDefaultAttr: cn
ipaPermDefaultAttr: labeleduri
ipaPermDefaultAttr: manager
ipaPermDefaultAttr: street
ipaPermDefaultAttr: displayname
ipaPermDefaultAttr: homephone
ipaPermDefaultAttr: title
ipaPermDefaultAttr: facsimiletelephonenumber
ipaPermDefaultAttr: loginshell
ipaPermDefaultAttr: employeetype
ipaPermDefaultAttr: description
ipaPermDefaultAttr: businesscategory
ipaPermDefaultAttr: preferredlanguage
ipaPermDefaultAttr: roomnumber
ipaPermDefaultAttr: mepmanagedentry
ipaPermDefaultAttr: carlicense
ipaPermDefaultAttr: postalcode
ipaPermDefaultAttr: givenname
ipaPermDefaultAttr: pager
ipaPermDefaultAttr: seealso
ipaPermDefaultAttr: objectclass
ipaPermDefaultAttr: inetuserhttpurl
ipaPermDefaultAttr: l
ipaPermDefaultAttr: st
ipaPermDefaultAttr: mobile
ipaPermDefaultAttr: gecos
ipaPermDefaultAttr: sn
ipaPermDefaultAttr: ou
ipaPermDefaultAttr: secretary
ipaPermDefaultAttr: userclass
ipaPermDefaultAttr: initials
ipaPermLocation: cn=users,cn=accounts,dc=redhat,dc=com

Comment 2 Martin Bašti 2016-05-23 07:48:28 UTC
Hello,

'employeenumber' is not covered by default by privilege you mentioned above.

However it can be added by modifying 'Permission: System: Modify Users'

Please open IPA WebUI (as admin), IPA Server/Role Based Access control/Permissions/'Permission: System: Modify Users'  and mark 'employee number' in effective attributes section.

Same for email, and department number.


Please let me know if provided steps work

Comment 3 Martin Bašti 2016-05-25 13:18:46 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/5911

Comment 4 Abhinay Reddy Peddireddy 2016-05-26 14:32:54 UTC
Check-marking those attributes in the effective users section of the write privilege worked fine as expected.

Comment 5 Martin Bašti 2016-05-29 12:16:16 UTC
Great, defaults will be fixed in 7.3

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1ce63e6193701679f539f7c83ddee9f65056b806

Comment 7 Scott Poore 2016-09-09 23:59:27 UTC
Verified.

Version ::

ipa-server-4.4.0-9.el7.x86_64

Results ::

[root@master ~]# ipa user-add testadmin --first=f --last=l
----------------------
Added user "testadmin"
----------------------
  User login: testadmin
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testadmin
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testadmin@IPA.TEST
  Principal alias: testadmin@IPA.TEST
  Email address: testadmin@ipa.test
  UID: 989000013
  GID: 989000013
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa passwd testadmin
New Password: 
Enter New Password again to verify: 
-----------------------------------------
Changed password for "testadmin@IPA.TEST"
-----------------------------------------

[root@master ~]# kinit testadmin
Password for testadmin@IPA.TEST: 
Password expired.  You must change it now.
Enter new password: 
Enter it again: 

[root@master ~]# kdestroy -A

[root@master ~]# kinit admin
Password for admin@IPA.TEST: 

[root@master ~]# ipa role-add testrole
---------------------
Added role "testrole"
---------------------
  Role name: testrole

[root@master ~]# ipa role-add-privilege --privileges="User Administrators" testrole
  Role name: testrole
  Privileges: User Administrators
----------------------------
Number of privileges added 1
----------------------------

[root@master ~]# ipa role-add-member --users=testadmin testrole
  Role name: testrole
  Member users: testadmin
  Privileges: User Administrators
-------------------------
Number of members added 1
-------------------------

[root@master ~]# ipa user-add testuser --first=f --last=l
---------------------
Added user "testuser"
---------------------
  User login: testuser
  First name: f
  Last name: l
  Full name: f l
  Display name: f l
  Initials: fl
  Home directory: /home/testuser
  GECOS: f l
  Login shell: /bin/sh
  Principal name: testuser@IPA.TEST
  Principal alias: testuser@IPA.TEST
  Email address: testuser@ipa.test
  UID: 989000014
  GID: 989000014
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# kdestroy -A

[root@master ~]# kinit testadmin
Password for testadmin@IPA.TEST: 

[root@master ~]# ipa user-mod testuser --employeenumber=123
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser@IPA.TEST
  Principal alias: testuser@IPA.TEST
  Email address: testuser@ipa.test
  UID: 989000014
  GID: 989000014
  Employee Number: 123
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --departmentnumber=122
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser@IPA.TEST
  Principal alias: testuser@IPA.TEST
  Email address: testuser@ipa.test
  UID: 989000014
  GID: 989000014
  Department Number: 122
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --email=testuser@testdomain.test
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser@IPA.TEST
  Principal alias: testuser@IPA.TEST
  Email address: testuser@testdomain.test
  UID: 989000014
  GID: 989000014
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

[root@master ~]# ipa user-mod testuser --manager=admin
------------------------
Modified user "testuser"
------------------------
  User login: testuser
  First name: f
  Last name: l
  Home directory: /home/testuser
  Login shell: /bin/sh
  Principal name: testuser@IPA.TEST
  Principal alias: testuser@IPA.TEST
  Email address: testuser@testdomain.test
  UID: 989000014
  GID: 989000014
  Manager: admin
  Account disabled: False
  Password: False
  Member of groups: ipausers
  Kerberos keys available: False

Comment 9 errata-xmlrpc 2016-11-04 05:54:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.