Red Hat Bugzilla – Bug 440989
[SECURITY] CMC authorization check not done by default
Last modified: 2015-01-05 20:19:00 EST
Description of problem:
By default, the authorization check is not done for Signed CMC-Authenticated
User certificate enrollment.
A non-agent user that has an entry in the user db (e.g. a non-agent
administrator, or an auditor, or simply a user that was stripped of agent
privilege but account was left in the db) with his cert, then the user is
allowed to sign a CMC request and gets automatic approval.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. generate a user cert
2. add a user, add him to a non-agent group, like, say "Auditors." (or just
leave it with no group.
3. add the user's cert to the user
4. user the user's cet to sign a CMC cert.
5. paste it into the "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form.
6. You will get a successful enrollment (and that's bad)
should get an authorization error
Created attachment 301334 [details]
added authorization to default CMC enrollment profile. Added error output.
pending peer code review
id: 301334 awnuk+
[cfu@jaw pki]$ svn status | grep -v ^$ | grep -v ^P | grep -v ^X
[cfu@jaw pki]$ svn commit
Transmitting file data ...
Committed revision 17.
Verified.(June-18-09 build). Signed a csr request with a user added to "Auditors" group and then generated a CMC request using CMCEnroll as below
CMCEnroll -d "/home/user1/.mozilla/firefox/po7qy4w7.default/" -n "guser1's csdomain ID" -r "/root/certreq.txt" -p netscape
And then pasted the output to "Signed CMC-Authenticated user Certificate Enrollment Cert
Request Input form"
Result - "Authorization Error"