634301 – ipa host-mod --setattr should not allow enrolledBy to be changed

Bug 634301 - ipa host-mod --setattr should not allow enrolledBy to be changed

Summary: ipa host-mod --setattr should not allow enrolledBy to be changed

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-admintools
Sub Component:
Version:	2.0
Hardware:	All
OS:	Linux
Priority:	low
Severity:	high
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	716287
TreeView+	depends on / blocked

Reported:	2010-09-15 18:38 UTC by Jenny Severance
Modified:	2015-01-04 23:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:	freeipa-2.1.3-5.fc16
Clone Of:
Clones:	716287 (view as bug list)
Environment:
Last Closed:	2012-03-28 09:36:48 UTC
Embargoed:

Attachments	(Terms of Use)

Description Jenny Severance 2010-09-15 18:38:16 UTC

Description of problem:
ipa host-mod --setattr on enrolledBy attribute is successful.  This should not be allowed.

Version-Release number of selected component (if applicable):

ipa-server-1.91-0.2010080617git830910d.fc12.i686
ipa-admintools-1.91-0.2010080617git830910d.fc12.i686


How reproducible:
always

Steps to Reproduce:
1. add a new host
  # ipa host-add newhost.domain.com
2. enrolledBy value should be said you your current admin id - verify
  # ipa host-show --all newhost.domain.com
3. change the enrolledBy value
  # "ipa host-mod --setattr enrolledBy=\"uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com\" newhost.domain.com
4. check value of enrolledBy 
 # ipa host-show --all newhost.domain.com

Actual results:
successful

Expected results:
error message stating the operation is not allowed

Additional info:

Comment 1 Rob Crittenden 2010-09-27 19:03:38 UTC

Will control this via the framework, not an ACI, so it will still be writable by an LDAP write. This will prevent casual overwriting.

This is difficult to fix because a host can be unenrolled and re-enrolled, so the attribute needs to be writable under some conditions.

https://fedorahosted.org/freeipa/ticket/302

Comment 2 Dmitri Pal 2010-12-10 22:51:47 UTC

master: 9726941e3d8cfd653034af09d34986b9f9dfdadf

Comment 3 Jenny Severance 2011-06-10 20:19:54 UTC

verified

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --addattr.
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.0.0                             Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Wed 20 Apr 2011 09:57:13 AM EDT
Install Date: Thu 19 May 2011 12:47:52 PM EDT      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.0.0-23.el6.src.rpm
Size        : 2565882                          License: GPLv3+
Signature   : RSA/8, Thu 21 Apr 2011 03:48:25 PM EDT, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

Comment 4 Jenny Severance 2011-06-23 16:54:41 UTC

Regression

Version:

ipa-server.i686 0:2.0.99-1.20110622T0510zgit3a36ece.el6


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: ERROR: Expected "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" to fail.
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: no modifications to be performed  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 0 good, 2 bad
:: [   FAIL   ] :: RESULT: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-22:  Negative - setattr and addattr on enrolledBy - invalid syntax
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 13s
:: [   LOG    ] :: Assertions: 0 good, 2 bad
:: [   FAIL   ] :: RESULT: ipa-host-cli-22:  Negative - setattr and addattr on enrolledBy - invalid syntax

Comment 5 Rob Crittenden 2011-07-15 14:12:58 UTC

master: 37e3bf2a6096ea18f46501bf5f2a51c55e829595

Note You need to log in before you can comment on or make changes to this bug.