Bug 716287 - ipa host-mod --setattr should not allow enrolledBy to be changed
Summary: ipa host-mod --setattr should not allow enrolledBy to be changed
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.1
Hardware: All
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: Chandrasekar Kannan
URL:
Whiteboard:
Depends On: 634301
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-06-23 20:48 UTC by Jenny Severance
Modified: 2015-01-04 23:49 UTC (History)
4 users (show)

Fixed In Version: ipa-2.1.0-1.el6
Doc Type: Bug Fix
Doc Text:
Cause: When a host is enrolled the user that does the enrollment is stored in the attribute enrolledBy in the host. An administrator was able to change this value using --setattr. Consequence: This value should be immutable. Fix: Remove write permissions enrolledBy from the access controls. Result: The enrolledBy value is no longer writable.
Clone Of: 634301
Environment:
Last Closed: 2011-12-06 18:36:26 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1533 normal SHIPPED_LIVE Moderate: ipa security and bug fix update 2011-12-06 01:23:31 UTC

Description Jenny Severance 2011-06-23 20:48:14 UTC 
+++ This bug was initially created as a clone of Bug #634301 +++

Description of problem:
ipa host-mod --setattr on enrolledBy attribute is successful.  This should not be allowed.

Version-Release number of selected component (if applicable):

ipa-server-1.91-0.2010080617git830910d.fc12.i686
ipa-admintools-1.91-0.2010080617git830910d.fc12.i686


How reproducible:
always

Steps to Reproduce:
1. add a new host
  # ipa host-add newhost.domain.com
2. enrolledBy value should be said you your current admin id - verify
  # ipa host-show --all newhost.domain.com
3. change the enrolledBy value
  # "ipa host-mod --setattr enrolledBy=\"uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com\" newhost.domain.com
4. check value of enrolledBy 
 # ipa host-show --all newhost.domain.com

Actual results:
successful

Expected results:
error message stating the operation is not allowed

Additional info:

--- Additional comment from rcritten@redhat.com on 2010-09-27 15:03:38 EDT ---

Will control this via the framework, not an ACI, so it will still be writable by an LDAP write. This will prevent casual overwriting.

This is difficult to fix because a host can be unenrolled and re-enrolled, so the attribute needs to be writable under some conditions.

https://fedorahosted.org/freeipa/ticket/302

--- Additional comment from dpal@redhat.com on 2010-12-10 17:51:47 EST ---

master: 9726941e3d8cfd653034af09d34986b9f9dfdadf

--- Additional comment from jgalipea@redhat.com on 2011-06-10 16:19:54 EDT ---

verified

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --addattr.
:: [   LOG    ] :: Duration: 7s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy


# rpm -qi ipa-server | head
Name        : ipa-server                   Relocations: (not relocatable)
Version     : 2.0.0                             Vendor: Red Hat, Inc.
Release     : 23.el6                        Build Date: Wed 20 Apr 2011 09:57:13 AM EDT
Install Date: Thu 19 May 2011 12:47:52 PM EDT      Build Host: x86-003.build.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-2.0.0-23.el6.src.rpm
Size        : 2565882                          License: GPLv3+
Signature   : RSA/8, Thu 21 Apr 2011 03:48:25 PM EDT, Key ID 199e2f91fd431d51
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : The IPA authentication server

--- Additional comment from jgalipea@redhat.com on 2011-06-23 12:54:41 EDT ---

Regression

Version:

ipa-server.i686 0:2.0.99-1.20110622T0510zgit3a36ece.el6


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: ERROR: Expected "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" to fail.
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: no modifications to be performed  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 0 good, 2 bad
:: [   FAIL   ] :: RESULT: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-22:  Negative - setattr and addattr on enrolledBy - invalid syntax
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --setattr. (Expected 0, got 1)
:: [   LOG    ] :: Executing: ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm
:: [   LOG    ] :: "ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm" failed as expected.
:: [   LOG    ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax.  EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   FAIL   ] :: Verify expected error message for --addattr. (Expected 0, got 1)
:: [   LOG    ] :: Duration: 13s
:: [   LOG    ] :: Assertions: 0 good, 2 bad
:: [   FAIL   ] :: RESULT: ipa-host-cli-22:  Negative - setattr and addattr on enrolledBy - invalid syntax
Comment 1 Rob Crittenden 2011-08-01 19:47:01 UTC 
master: 37e3bf2a6096ea18f46501bf5f2a51c55e829595
Comment 4 Rob Crittenden 2011-10-31 20:32:59 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: When a host is enrolled the user that does the enrollment is stored in the attribute enrolledBy in the host. An administrator was able to change this value using --setattr.
Consequence: This value should be immutable.
Fix: Remove write permissions enrolledBy from the access controls.
Result: The enrolledBy value is no longer writable.
Comment 5 Namita Soman 2011-11-06 04:36:33 UTC 
Verified using ipa-server.x86_64 0:2.1.3-8.el6


::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-21:  Negative - setattr and addattr on enrolledBy
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [10:08:05] ::  Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [10:08:08] ::  "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [10:08:10] ::  Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [10:08:10] ::  Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [10:08:12] ::  "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected.
:: [10:08:15] ::  Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --addattr.
'383ffb8c-fabe-448e-a6ab-28ef493e0582'
ipa-host-cli-21 result: PASS
   metric: 0
   Log: /tmp/beakerlib-3497821/journal.txt
    Info: Searching AVC errors produced since 1320415685.51 (Fri Nov  4 10:08:05 2011)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.fGwZfu
:
   AvcLog: /mnt/testarea/tmp.fGwZfu

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-host-cli-22:  Negative - setattr and addattr on enrolledBy - invalid syntax
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [10:08:17] ::  Executing: ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [10:08:20] ::  "ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm" failed as expected.
:: [10:08:22] ::  Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --setattr.
:: [10:08:22] ::  Executing: ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [10:08:24] ::  "ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm" failed as expected.
:: [10:08:27] ::  Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'.
:: [   PASS   ] :: Verify expected error message for --addattr.
'83db3557-686c-474a-b9c8-877657f5b9b6'
ipa-host-cli-22 result: PASS
   metric: 0
   Log: /tmp/beakerlib-3497821/journal.txt
    Info: Searching AVC errors produced since 1320415697.39 (Fri Nov  4 10:08:17 2011)
     Searching logs...
     Info: No AVC messages found.
 Writing to /mnt/testarea/tmp.fGwZfu
:
   AvcLog: /mnt/testarea/tmp.fGwZfu
Comment 6 errata-xmlrpc 2011-12-06 18:36:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2011-1533.html
Note You need to log in before you can comment on or make changes to this bug.