773759 – Administrative Roles given the permission to change a user password should not be able to change user's passwords that are in the Administrators Group

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 773759 - Administrative Roles given the permission to change a user password should not be able to change user's passwords that are in the Administrators Group

Summary: Administrative Roles given the permission to change a user password should no...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	6.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-12 20:00 UTC by Jenny Severance
Modified:	2013-08-19 15:54 UTC (History)
CC List:	2 users (show)
Fixed In Version:	ipa-2.2.0-3.el6
Doc Type:	Bug Fix
Doc Text:	Cause: Non-admin users with an appropriate permission can change other users password. The target group of this permission is however not limited. Consequence: Non-admin user with the permission can change a password of admin user and thus get access to admin account. Fix: The permission was changed to allow password changes for non-admin users only. Result: Non-admin user with a permission to change passwords cannot change a password of admin users.
Clone Of:
Environment:
Last Closed:	2012-06-20 13:29:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0819	0	normal	SHIPPED_LIVE	ipa bug fix and enhancement update	2012-06-19 20:34:17 UTC

Description Jenny Severance 2012-01-12 20:00:33 UTC

Description of problem:
With IPA and delegated administration, at this time, there is no concept of "scoping" those permissions.  However, the permission "Change a user passwd", needs to by default exclude users in the Administrators group ... or any help desk or User admin can change the administrator's password without being prompted for the existing password.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Add a new user and assign the user a password
2. Assign the new user the helpdesk role that contains "Change a user password" permission
3. kinit as the user
4. change the admin user's password
   ipa passwd admin
  
Actual results:
help desk admin can change passwords of users in Administrators group

Expected results:
Denied being able to change the password

Additional info:

Comment 1 Dmitri Pal 2012-01-17 17:50:24 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2271

Comment 2 Namita Soman 2012-02-14 14:28:49 UTC

Using ipa-server-2.2.0-101.20120213T0935zgitf93d95f.el6.x86_64, user with helpdesk role can no longer change admin's password. But this user cannot change anybody's password anymore.

Comment 3 Rob Crittenden 2012-02-14 14:33:42 UTC

Not sure why that would be, no change has been committed yet.

Comment 4 Martin Kosek 2012-02-20 18:44:57 UTC

Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2416

Comment 5 Martin Kosek 2012-02-20 18:45:46 UTC

Ticket 2271 fixed upstream:

master: https://fedorahosted.org/freeipa/changeset/ffd39503c1e4c1b7a309953e232d4727551a58c3
ipa-2-2: https://fedorahosted.org/freeipa/changeset/6c222bdd1f4783c1a8a5c2b0b247279e63bd31c6

Comment 6 Martin Kosek 2012-02-23 10:10:01 UTC

Ticket 2416 fixed upstream as well:
master: https://fedorahosted.org/freeipa/changeset/960baaebf4a1305a38f7cec099f51607e2427d24
ipa-2-2: https://fedorahosted.org/freeipa/changeset/3961aa8603d5c56719ad9c84607b9be278ddabe2

Comment 9 Namita Soman 2012-03-27 12:50:48 UTC

user with helpdesk role can no longer change admin's password. And this user can change other users' password.

Verified using:
ipa-server.x86_64 0:2.2.0-4.el6

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   LOG    ] :: Executing: ipa role-add-member --users=testuserhelpdesk "helpdesk" --all
:: [   LOG    ] :: Added testuserhelpdesk to helpdesk successfully
:: [   PASS   ] :: Adding member to role helpdesk
:: [   LOG    ] :: kinit as testuserhelpdesk with password Secret123 was successful.
:: [   PASS   ] :: kinit as testuserhelpdesk
:: [   PASS   ] :: Verify error message when testuserhelpdesk updates admin's password (bug 773759)
:: [   PASS   ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_1.log' should contain 'ipa: ERROR: Insufficient access: Insufficient access rights'
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify error message when testuserhelpdesk adds a new user
:: [   PASS   ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_2.log' should contain 'ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'uid=two,cn=users,cn=accounts,dc=testrelm,dc=com'.'
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa user-mod --last="testtest" test
:: [   LOG    ] :: Modifying user test successful.
:: [   PASS   ] :: Verify testuserhelpdesk can modify test's lastname
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify testuserhelpdesk can reset test's password
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759)

Comment 10 Martin Kosek 2012-04-20 10:52:14 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Non-admin users with an appropriate permission can change other users password. The target group of this permission is however not limited.
Consequence: Non-admin user with the permission can change a password of admin user and thus get access to admin account.
Fix: The permission was changed to allow password changes for non-admin users only.
Result: Non-admin user with a permission to change passwords cannot change a password of admin users.

Comment 12 errata-xmlrpc 2012-06-20 13:29:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html

Note You need to log in before you can comment on or make changes to this bug.