|
Pavel Vomacka |
1175a51 |
From 2b5ce7bd98585a76ce745a027ea8226d34be940b Mon Sep 17 00:00:00 2001
|
|
Pavel Vomacka |
1175a51 |
From: Fraser Tweedale <ftweedal@redhat.com>
|
|
Pavel Vomacka |
1175a51 |
Date: Tue, 15 Nov 2016 14:02:54 +1000
|
|
Pavel Vomacka |
1175a51 |
Subject: [PATCH] certprofile-mod: correctly authorise config update
|
|
Pavel Vomacka |
1175a51 |
|
|
Pavel Vomacka |
1175a51 |
Certificate profiles consist of an FreeIPA object, and a
|
|
Pavel Vomacka |
1175a51 |
corresponding Dogtag configuration object. When updating profile
|
|
Pavel Vomacka |
1175a51 |
configuration, changes to the Dogtag configuration are not properly
|
|
Pavel Vomacka |
1175a51 |
authorised, allowing unprivileged operators to modify (but not
|
|
Pavel Vomacka |
1175a51 |
create or delete) profiles. This could result in issuance of
|
|
Pavel Vomacka |
1175a51 |
certificates with fraudulent subject naming information, improper
|
|
Pavel Vomacka |
1175a51 |
key usage, or other badness.
|
|
Pavel Vomacka |
1175a51 |
|
|
Pavel Vomacka |
1175a51 |
Update certprofile-mod to ensure that the operator has permission to
|
|
Pavel Vomacka |
1175a51 |
modify FreeIPA certprofile objects before modifying the Dogtag
|
|
Pavel Vomacka |
1175a51 |
configuration.
|
|
Pavel Vomacka |
1175a51 |
|
|
Pavel Vomacka |
1175a51 |
https://fedorahosted.org/freeipa/ticket/6560
|
|
Pavel Vomacka |
1175a51 |
---
|
|
Pavel Vomacka |
1175a51 |
ipalib/plugins/certprofile.py | 5 +++++
|
|
Pavel Vomacka |
1175a51 |
1 file changed, 5 insertions(+)
|
|
Pavel Vomacka |
1175a51 |
|
|
Pavel Vomacka |
1175a51 |
diff --git a/ipalib/plugins/certprofile.py b/ipalib/plugins/certprofile.py
|
|
Pavel Vomacka |
1175a51 |
index ce56ec2..3afcb18 100644
|
|
Pavel Vomacka |
1175a51 |
--- a/ipalib/plugins/certprofile.py
|
|
Pavel Vomacka |
1175a51 |
+++ b/ipalib/plugins/certprofile.py
|
|
Pavel Vomacka |
1175a51 |
@@ -326,6 +326,11 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
|
|
Pavel Vomacka |
1175a51 |
raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
|
|
Pavel Vomacka |
1175a51 |
reason=_('Certificate profiles cannot be renamed'))
|
|
Pavel Vomacka |
1175a51 |
if 'file' in options:
|
|
Pavel Vomacka |
1175a51 |
+ # ensure operator has permission to update a certprofile
|
|
Pavel Vomacka |
1175a51 |
+ if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
|
|
Pavel Vomacka |
1175a51 |
+ raise errors.ACIError(info=_(
|
|
Pavel Vomacka |
1175a51 |
+ "Insufficient privilege to modify a certificate profile."))
|
|
Pavel Vomacka |
1175a51 |
+
|
|
Pavel Vomacka |
1175a51 |
with self.api.Backend.ra_certprofile as profile_api:
|
|
Pavel Vomacka |
1175a51 |
profile_api.disable_profile(keys[0])
|
|
Pavel Vomacka |
1175a51 |
try:
|
|
Pavel Vomacka |
1175a51 |
--
|
|
Pavel Vomacka |
1175a51 |
2.7.4
|