Hide Forgot
+++ This bug was initially created as a clone of Bug #634301 +++ Description of problem: ipa host-mod --setattr on enrolledBy attribute is successful. This should not be allowed. Version-Release number of selected component (if applicable): ipa-server-1.91-0.2010080617git830910d.fc12.i686 ipa-admintools-1.91-0.2010080617git830910d.fc12.i686 How reproducible: always Steps to Reproduce: 1. add a new host # ipa host-add newhost.domain.com 2. enrolledBy value should be said you your current admin id - verify # ipa host-show --all newhost.domain.com 3. change the enrolledBy value # "ipa host-mod --setattr enrolledBy=\"uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com\" newhost.domain.com 4. check value of enrolledBy # ipa host-show --all newhost.domain.com Actual results: successful Expected results: error message stating the operation is not allowed Additional info: --- Additional comment from rcritten@redhat.com on 2010-09-27 15:03:38 EDT --- Will control this via the framework, not an ACI, so it will still be writable by an LDAP write. This will prevent casual overwriting. This is difficult to fix because a host can be unenrolled and re-enrolled, so the attribute needs to be writable under some conditions. https://fedorahosted.org/freeipa/ticket/302 --- Additional comment from dpal@redhat.com on 2010-12-10 17:51:47 EST --- master: 9726941e3d8cfd653034af09d34986b9f9dfdadf --- Additional comment from jgalipea@redhat.com on 2011-06-10 16:19:54 EDT --- verified :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-21: Negative - setattr and addattr on enrolledBy :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm :: [ LOG ] :: "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected. :: [ LOG ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --setattr. :: [ LOG ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm :: [ LOG ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected. :: [ LOG ] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --addattr. :: [ LOG ] :: Duration: 7s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: ipa-host-cli-21: Negative - setattr and addattr on enrolledBy # rpm -qi ipa-server | head Name : ipa-server Relocations: (not relocatable) Version : 2.0.0 Vendor: Red Hat, Inc. Release : 23.el6 Build Date: Wed 20 Apr 2011 09:57:13 AM EDT Install Date: Thu 19 May 2011 12:47:52 PM EDT Build Host: x86-003.build.bos.redhat.com Group : System Environment/Base Source RPM: ipa-2.0.0-23.el6.src.rpm Size : 2565882 License: GPLv3+ Signature : RSA/8, Thu 21 Apr 2011 03:48:25 PM EDT, Key ID 199e2f91fd431d51 Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://www.freeipa.org/ Summary : The IPA authentication server --- Additional comment from jgalipea@redhat.com on 2011-06-23 12:54:41 EDT --- Regression Version: ipa-server.i686 0:2.0.99-1.20110622T0510zgit3a36ece.el6 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-21: Negative - setattr and addattr on enrolledBy :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm :: [ LOG ] :: ERROR: Expected "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" to fail. :: [ FAIL ] :: Verify expected error message for --setattr. (Expected 0, got 1) :: [ LOG ] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm :: [ LOG ] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected. :: [ LOG ] :: ERROR: Message not as expected. GOT: ipa: ERROR: no modifications to be performed EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ FAIL ] :: Verify expected error message for --addattr. (Expected 0, got 1) :: [ LOG ] :: Duration: 9s :: [ LOG ] :: Assertions: 0 good, 2 bad :: [ FAIL ] :: RESULT: ipa-host-cli-21: Negative - setattr and addattr on enrolledBy :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-22: Negative - setattr and addattr on enrolledBy - invalid syntax :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Executing: ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm :: [ LOG ] :: "ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm" failed as expected. :: [ LOG ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax. EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ FAIL ] :: Verify expected error message for --setattr. (Expected 0, got 1) :: [ LOG ] :: Executing: ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm :: [ LOG ] :: "ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm" failed as expected. :: [ LOG ] :: ERROR: Message not as expected. GOT: ipa: ERROR: enrolledBy: value #0 invalid per syntax: Invalid syntax. EXP: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ FAIL ] :: Verify expected error message for --addattr. (Expected 0, got 1) :: [ LOG ] :: Duration: 13s :: [ LOG ] :: Assertions: 0 good, 2 bad :: [ FAIL ] :: RESULT: ipa-host-cli-22: Negative - setattr and addattr on enrolledBy - invalid syntax
master: 37e3bf2a6096ea18f46501bf5f2a51c55e829595
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When a host is enrolled the user that does the enrollment is stored in the attribute enrolledBy in the host. An administrator was able to change this value using --setattr. Consequence: This value should be immutable. Fix: Remove write permissions enrolledBy from the access controls. Result: The enrolledBy value is no longer writable.
Verified using ipa-server.x86_64 0:2.1.3-8.el6 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-21: Negative - setattr and addattr on enrolledBy :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [10:08:05] :: Executing: ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:08] :: "ipa host-mod --setattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected. :: [10:08:10] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --setattr. :: [10:08:10] :: Executing: ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:12] :: "ipa host-mod --addattr enrolledBy=uid=user,cn=users,cn=accounts,dc=bos,dc=redhat,dc=com nightcrawler.testrelm" failed as expected. :: [10:08:15] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --addattr. '383ffb8c-fabe-448e-a6ab-28ef493e0582' ipa-host-cli-21 result: PASS metric: 0 Log: /tmp/beakerlib-3497821/journal.txt Info: Searching AVC errors produced since 1320415685.51 (Fri Nov 4 10:08:05 2011) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.fGwZfu : AvcLog: /mnt/testarea/tmp.fGwZfu :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-host-cli-22: Negative - setattr and addattr on enrolledBy - invalid syntax :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [10:08:17] :: Executing: ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:20] :: "ipa host-mod --setattr enrolledBy=me nightcrawler.testrelm" failed as expected. :: [10:08:22] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --setattr. :: [10:08:22] :: Executing: ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [10:08:24] :: "ipa host-mod --addattr enrolledBy=you nightcrawler.testrelm" failed as expected. :: [10:08:27] :: Error message as expected: ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'enrolledBy' attribute of entry 'fqdn=nightcrawler.testrelm,cn=computers,cn=accounts,dc=testrelm'. :: [ PASS ] :: Verify expected error message for --addattr. '83db3557-686c-474a-b9c8-877657f5b9b6' ipa-host-cli-22 result: PASS metric: 0 Log: /tmp/beakerlib-3497821/journal.txt Info: Searching AVC errors produced since 1320415697.39 (Fri Nov 4 10:08:17 2011) Searching logs... Info: No AVC messages found. Writing to /mnt/testarea/tmp.fGwZfu : AvcLog: /mnt/testarea/tmp.fGwZfu
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html