Hide Forgot
Description of problem: With IPA and delegated administration, at this time, there is no concept of "scoping" those permissions. However, the permission "Change a user passwd", needs to by default exclude users in the Administrators group ... or any help desk or User admin can change the administrator's password without being prompted for the existing password. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Add a new user and assign the user a password 2. Assign the new user the helpdesk role that contains "Change a user password" permission 3. kinit as the user 4. change the admin user's password ipa passwd admin Actual results: help desk admin can change passwords of users in Administrators group Expected results: Denied being able to change the password Additional info:
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2271
Using ipa-server-2.2.0-101.20120213T0935zgitf93d95f.el6.x86_64, user with helpdesk role can no longer change admin's password. But this user cannot change anybody's password anymore.
Not sure why that would be, no change has been committed yet.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/2416
Ticket 2271 fixed upstream: master: https://fedorahosted.org/freeipa/changeset/ffd39503c1e4c1b7a309953e232d4727551a58c3 ipa-2-2: https://fedorahosted.org/freeipa/changeset/6c222bdd1f4783c1a8a5c2b0b247279e63bd31c6
Ticket 2416 fixed upstream as well: master: https://fedorahosted.org/freeipa/changeset/960baaebf4a1305a38f7cec099f51607e2427d24 ipa-2-2: https://fedorahosted.org/freeipa/changeset/3961aa8603d5c56719ad9c84607b9be278ddabe2
user with helpdesk role can no longer change admin's password. And this user can change other users' password. Verified using: ipa-server.x86_64 0:2.2.0-4.el6 :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: kinit as admin with password Secret123 was successful. :: [ PASS ] :: Running 'kinitAs admin Secret123' :: [ LOG ] :: Executing: ipa role-add-member --users=testuserhelpdesk "helpdesk" --all :: [ LOG ] :: Added testuserhelpdesk to helpdesk successfully :: [ PASS ] :: Adding member to role helpdesk :: [ LOG ] :: kinit as testuserhelpdesk with password Secret123 was successful. :: [ PASS ] :: kinit as testuserhelpdesk :: [ PASS ] :: Verify error message when testuserhelpdesk updates admin's password (bug 773759) :: [ PASS ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_1.log' should contain 'ipa: ERROR: Insufficient access: Insufficient access rights' :: [ LOG ] :: Duration: 9s :: [ LOG ] :: Assertions: 5 good, 0 bad :: [ PASS ] :: RESULT: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Verify error message when testuserhelpdesk adds a new user :: [ PASS ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_2.log' should contain 'ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'uid=two,cn=users,cn=accounts,dc=testrelm,dc=com'.' :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 2 good, 0 bad :: [ PASS ] :: RESULT: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: Executing: ipa user-mod --last="testtest" test :: [ LOG ] :: Modifying user test successful. :: [ PASS ] :: Verify testuserhelpdesk can modify test's lastname :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ LOG ] :: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759) :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: [ PASS ] :: Verify testuserhelpdesk can reset test's password :: [ LOG ] :: Duration: 2s :: [ LOG ] :: Assertions: 1 good, 0 bad :: [ PASS ] :: RESULT: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759)
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: Non-admin users with an appropriate permission can change other users password. The target group of this permission is however not limited. Consequence: Non-admin user with the permission can change a password of admin user and thus get access to admin account. Fix: The permission was changed to allow password changes for non-admin users only. Result: Non-admin user with a permission to change passwords cannot change a password of admin users.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0819.html