Bug 773759 - Administrative Roles given the permission to change a user password should not be able to change user's passwords that are in the Administrators Group
Summary: Administrative Roles given the permission to change a user password should no...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.2
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Rob Crittenden
QA Contact: IDM QE LIST
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-01-12 20:00 UTC by Jenny Severance
Modified: 2013-08-19 15:54 UTC (History)
2 users (show)

Fixed In Version: ipa-2.2.0-3.el6
Doc Type: Bug Fix
Doc Text:
Cause: Non-admin users with an appropriate permission can change other users password. The target group of this permission is however not limited. Consequence: Non-admin user with the permission can change a password of admin user and thus get access to admin account. Fix: The permission was changed to allow password changes for non-admin users only. Result: Non-admin user with a permission to change passwords cannot change a password of admin users.
Clone Of:
Environment:
Last Closed: 2012-06-20 13:29:07 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2012:0819 normal SHIPPED_LIVE ipa bug fix and enhancement update 2012-06-19 20:34:17 UTC

Description Jenny Severance 2012-01-12 20:00:33 UTC
Description of problem:
With IPA and delegated administration, at this time, there is no concept of "scoping" those permissions.  However, the permission "Change a user passwd", needs to by default exclude users in the Administrators group ... or any help desk or User admin can change the administrator's password without being prompted for the existing password.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Add a new user and assign the user a password
2. Assign the new user the helpdesk role that contains "Change a user password" permission
3. kinit as the user
4. change the admin user's password
   ipa passwd admin
  
Actual results:
help desk admin can change passwords of users in Administrators group

Expected results:
Denied being able to change the password

Additional info:

Comment 1 Dmitri Pal 2012-01-17 17:50:24 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2271

Comment 2 Namita Soman 2012-02-14 14:28:49 UTC
Using ipa-server-2.2.0-101.20120213T0935zgitf93d95f.el6.x86_64, user with helpdesk role can no longer change admin's password. But this user cannot change anybody's password anymore.

Comment 3 Rob Crittenden 2012-02-14 14:33:42 UTC
Not sure why that would be, no change has been committed yet.

Comment 4 Martin Kosek 2012-02-20 18:44:57 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/2416

Comment 9 Namita Soman 2012-03-27 12:50:48 UTC
user with helpdesk role can no longer change admin's password. And this user can change other users' password.

Verified using:
ipa-server.x86_64 0:2.2.0-4.el6

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password Secret123 was successful.
:: [   PASS   ] :: Running 'kinitAs admin Secret123'
:: [   LOG    ] :: Executing: ipa role-add-member --users=testuserhelpdesk "helpdesk" --all
:: [   LOG    ] :: Added testuserhelpdesk to helpdesk successfully
:: [   PASS   ] :: Adding member to role helpdesk
:: [   LOG    ] :: kinit as testuserhelpdesk with password Secret123 was successful.
:: [   PASS   ] :: kinit as testuserhelpdesk
:: [   PASS   ] :: Verify error message when testuserhelpdesk updates admin's password (bug 773759)
:: [   PASS   ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_1.log' should contain 'ipa: ERROR: Insufficient access: Insufficient access rights'
:: [   LOG    ] :: Duration: 9s
:: [   LOG    ] :: Assertions: 5 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1001 - Set up user with HelpDesk Role - Cannot reset admin's password

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify error message when testuserhelpdesk adds a new user
:: [   PASS   ] :: File '/tmp/tmp.pPxSE36hsu/ipaRBAC_test01_2.log' should contain 'ipa: ERROR: Insufficient access: Insufficient 'add' privilege to add the entry 'uid=two,cn=users,cn=accounts,dc=testrelm,dc=com'.'
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 2 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1002 - Set up user with HelpDesk Role - Cannot add new user

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: Executing: ipa user-mod --last="testtest" test
:: [   LOG    ] :: Modifying user test successful.
:: [   PASS   ] :: Verify testuserhelpdesk can modify test's lastname
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1003 - Set up user with HelpDesk Role - Can update user attr

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   PASS   ] :: Verify testuserhelpdesk can reset test's password
:: [   LOG    ] :: Duration: 2s
:: [   LOG    ] :: Assertions: 1 good, 0 bad
:: [   PASS   ] :: RESULT: ipa-rbac-1004 - Set up user with HelpDesk Role - Can reset a user's password (bug 773759)

Comment 10 Martin Kosek 2012-04-20 10:52:14 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: Non-admin users with an appropriate permission can change other users password. The target group of this permission is however not limited.
Consequence: Non-admin user with the permission can change a password of admin user and thus get access to admin account.
Fix: The permission was changed to allow password changes for non-admin users only.
Result: Non-admin user with a permission to change passwords cannot change a password of admin users.

Comment 12 errata-xmlrpc 2012-06-20 13:29:07 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0819.html


Note You need to log in before you can comment on or make changes to this bug.