Bug 860683 – group-mod should not be allowed to rename or modify admins account

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 860683 - group-mod should not be allowed to rename or modify admins account

Summary:	group-mod should not be allowed to rename or modify admins account

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	ipa (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	medium Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rob Crittenden
QA Contact:	IDM QE LIST
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-09-26 09:20 EDT by Dmitri Pal
Modified:	2013-05-16 16:54 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	ipa-3.0.0-3.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 04:20:00 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0528	normal	SHIPPED_LIVE	Low: ipa security, bug fix and enhancement update	2013-02-21 03:22:21 EST

Groups: None (edit)

Description Dmitri Pal 2012-09-26 09:20:37 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/3098

`group-mod` should not allow potentially dangerous actions like `--rename` or maybe also `--external` changes made to the `admins` group.

Otherwise, admin users may get a restricted access to DIT as our ACIs requires `admins` group to have a fixed name (and DN).

Comment 1 Martin Kosek 2012-10-03 07:32:03 EDT

Fixed upstream:
master: https://fedorahosted.org/freeipa/changeset/682edbf2152aa2dce2f6350226bffc6ebc2526c1
ipa-3-0: https://fedorahosted.org/freeipa/changeset/22211c28b755245207a53e90acba073e69b04428

Comment 4 Jenny Galipeau 2013-01-15 15:01:58 EST

verified ::

# ipa group-mod --rename=Administrators admins
ipa: ERROR: group admins cannot be deleted/modified: Cannot be renamed

version ::
ipa-server-3.0.0-21.el6

Comment 6 errata-xmlrpc 2013-02-21 04:20:00 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0528.html

Note You need to log in before you can comment on or make changes to this bug.