Compare commits
No commits in common. "c8-stream-DL1" and "c8-beta-stream-DL1" have entirely different histories.
c8-stream-
...
c8-beta-st
|
|
@ -1,392 +0,0 @@
|
|||
From b039f3087a13de3f34b230dbe29a7cfb1965700d Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Feb 23 2024 09:49:27 +0000
|
||||
Subject: rpcserver: validate Kerberos principal name before running kinit
|
||||
|
||||
|
||||
Do minimal validation of the Kerberos principal name when passing it to
|
||||
kinit command line tool. Also pass it as the final argument to prevent
|
||||
option injection.
|
||||
|
||||
Accepted Kerberos principals are:
|
||||
- user names, using the following regexp
|
||||
(username with optional @realm, no spaces or slashes in the name):
|
||||
"(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
|
||||
|
||||
- service names (with slash in the name but no spaces). Validation of
|
||||
the hostname is done. There is no validation of the service name.
|
||||
|
||||
The regular expression above also covers cases where a principal name
|
||||
starts with '-'. This prevents option injection as well.
|
||||
|
||||
This fixes CVE-2024-1481
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9541
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
||||
index cc839ec..4ad4eaa 100644
|
||||
--- a/ipalib/install/kinit.py
|
||||
+++ b/ipalib/install/kinit.py
|
||||
@@ -6,12 +6,16 @@ from __future__ import absolute_import
|
||||
|
||||
import logging
|
||||
import os
|
||||
+import re
|
||||
import time
|
||||
|
||||
import gssapi
|
||||
|
||||
from ipaplatform.paths import paths
|
||||
from ipapython.ipautil import run
|
||||
+from ipalib.constants import PATTERN_GROUPUSER_NAME
|
||||
+from ipalib.util import validate_hostname
|
||||
+from ipalib import api
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -21,6 +25,40 @@ KRB5_KDC_UNREACH = 2529639068
|
||||
# A service is not available that s required to process the request
|
||||
KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941
|
||||
|
||||
+PATTERN_REALM = '@?([a-zA-Z0-9.-]*)$'
|
||||
+PATTERN_PRINCIPAL = '(' + PATTERN_GROUPUSER_NAME[:-1] + ')' + PATTERN_REALM
|
||||
+PATTERN_SERVICE = '([a-zA-Z0-9.-]+)/([a-zA-Z0-9.-]+)' + PATTERN_REALM
|
||||
+
|
||||
+user_pattern = re.compile(PATTERN_PRINCIPAL)
|
||||
+service_pattern = re.compile(PATTERN_SERVICE)
|
||||
+
|
||||
+
|
||||
+def validate_principal(principal):
|
||||
+ if not isinstance(principal, str):
|
||||
+ raise RuntimeError('Invalid principal: not a string')
|
||||
+ if ('/' in principal) and (' ' in principal):
|
||||
+ raise RuntimeError('Invalid principal: bad spacing')
|
||||
+ else:
|
||||
+ realm = None
|
||||
+ match = user_pattern.match(principal)
|
||||
+ if match is None:
|
||||
+ match = service_pattern.match(principal)
|
||||
+ if match is None:
|
||||
+ raise RuntimeError('Invalid principal: cannot parse')
|
||||
+ else:
|
||||
+ # service = match[1]
|
||||
+ hostname = match[2]
|
||||
+ realm = match[3]
|
||||
+ try:
|
||||
+ validate_hostname(hostname)
|
||||
+ except ValueError as e:
|
||||
+ raise RuntimeError(str(e))
|
||||
+ else: # user match, validate realm
|
||||
+ # username = match[1]
|
||||
+ realm = match[2]
|
||||
+ if realm and 'realm' in api.env and realm != api.env.realm:
|
||||
+ raise RuntimeError('Invalid principal: realm mismatch')
|
||||
+
|
||||
|
||||
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
"""
|
||||
@@ -29,6 +67,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
The optional parameter 'attempts' specifies how many times the credential
|
||||
initialization should be attempted in case of non-responsive KDC.
|
||||
"""
|
||||
+ validate_principal(principal)
|
||||
errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE,
|
||||
KRB5_KDC_UNREACH}
|
||||
logger.debug("Initializing principal %s using keytab %s",
|
||||
@@ -65,6 +104,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
|
||||
return None
|
||||
|
||||
+
|
||||
def kinit_password(principal, password, ccache_name, config=None,
|
||||
armor_ccache_name=None, canonicalize=False,
|
||||
enterprise=False, lifetime=None):
|
||||
@@ -73,8 +113,9 @@ def kinit_password(principal, password, ccache_name, config=None,
|
||||
web-based authentication, use armor_ccache_path to specify http service
|
||||
ccache.
|
||||
"""
|
||||
+ validate_principal(principal)
|
||||
logger.debug("Initializing principal %s using password", principal)
|
||||
- args = [paths.KINIT, principal, '-c', ccache_name]
|
||||
+ args = [paths.KINIT, '-c', ccache_name]
|
||||
if armor_ccache_name is not None:
|
||||
logger.debug("Using armor ccache %s for FAST webauth",
|
||||
armor_ccache_name)
|
||||
@@ -91,6 +132,7 @@ def kinit_password(principal, password, ccache_name, config=None,
|
||||
logger.debug("Using enterprise principal")
|
||||
args.append('-E')
|
||||
|
||||
+ args.extend(['--', principal])
|
||||
env = {'LC_ALL': 'C'}
|
||||
if config is not None:
|
||||
env['KRB5_CONFIG'] = config
|
||||
@@ -154,6 +196,7 @@ def kinit_pkinit(
|
||||
|
||||
:raises: CalledProcessError if PKINIT fails
|
||||
"""
|
||||
+ validate_principal(principal)
|
||||
logger.debug(
|
||||
"Initializing principal %s using PKINIT %s", principal, user_identity
|
||||
)
|
||||
@@ -168,7 +211,7 @@ def kinit_pkinit(
|
||||
assert pkinit_anchor.startswith(("FILE:", "DIR:", "ENV:"))
|
||||
args.extend(["-X", f"X509_anchors={pkinit_anchor}"])
|
||||
args.extend(["-X", f"X509_user_identity={user_identity}"])
|
||||
- args.append(principal)
|
||||
+ args.extend(['--', principal])
|
||||
|
||||
# this workaround enables us to capture stderr and put it
|
||||
# into the raised exception in case of unsuccessful authentication
|
||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||
index 3555014..60bfa61 100644
|
||||
--- a/ipaserver/rpcserver.py
|
||||
+++ b/ipaserver/rpcserver.py
|
||||
@@ -1134,10 +1134,6 @@ class login_password(Backend, KerberosSession):
|
||||
canonicalize=True,
|
||||
lifetime=self.api.env.kinit_lifetime)
|
||||
|
||||
- if armor_path:
|
||||
- logger.debug('Cleanup the armor ccache')
|
||||
- ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
|
||||
- env={'KRB5CCNAME': armor_path}, raiseonerr=False)
|
||||
except RuntimeError as e:
|
||||
if ('kinit: Cannot read password while '
|
||||
'getting initial credentials') in str(e):
|
||||
@@ -1155,6 +1151,11 @@ class login_password(Backend, KerberosSession):
|
||||
raise KrbPrincipalWrongFAST(principal=principal)
|
||||
raise InvalidSessionPassword(principal=principal,
|
||||
message=unicode(e))
|
||||
+ finally:
|
||||
+ if armor_path:
|
||||
+ logger.debug('Cleanup the armor ccache')
|
||||
+ ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
|
||||
+ env={'KRB5CCNAME': armor_path}, raiseonerr=False)
|
||||
|
||||
|
||||
class change_password(Backend, HTTP_Status):
|
||||
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
|
||||
index 91be057..400a248 100644
|
||||
--- a/ipatests/prci_definitions/gating.yaml
|
||||
+++ b/ipatests/prci_definitions/gating.yaml
|
||||
@@ -310,3 +310,15 @@ jobs:
|
||||
template: *ci-ipa-4-9-latest
|
||||
timeout: 3600
|
||||
topology: *master_1repl_1client
|
||||
+
|
||||
+ fedora-latest-ipa-4-9/test_ipalib_install:
|
||||
+ requires: [fedora-latest-ipa-4-9/build]
|
||||
+ priority: 100
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||
+ test_suite: test_ipalib_install/test_kinit.py
|
||||
+ template: *ci-ipa-4-9-latest
|
||||
+ timeout: 600
|
||||
+ topology: *master_1repl
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||
index b2ab765..7c03a48 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
||||
@@ -1801,3 +1801,15 @@ jobs:
|
||||
template: *ci-ipa-4-9-latest
|
||||
timeout: 5000
|
||||
topology: *master_2repl_1client
|
||||
+
|
||||
+ fedora-latest-ipa-4-9/test_ipalib_install:
|
||||
+ requires: [fedora-latest-ipa-4-9/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||
+ test_suite: test_ipalib_install/test_kinit.py
|
||||
+ template: *ci-ipa-4-9-latest
|
||||
+ timeout: 600
|
||||
+ topology: *master_1repl
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||
index b7b3d3b..802bd2a 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
||||
@@ -1944,3 +1944,16 @@ jobs:
|
||||
template: *ci-ipa-4-9-latest
|
||||
timeout: 5000
|
||||
topology: *master_2repl_1client
|
||||
+
|
||||
+ fedora-latest-ipa-4-9/test_ipalib_install:
|
||||
+ requires: [fedora-latest-ipa-4-9/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
||||
+ selinux_enforcing: True
|
||||
+ test_suite: test_ipalib_install/test_kinit.py
|
||||
+ template: *ci-ipa-4-9-latest
|
||||
+ timeout: 600
|
||||
+ topology: *master_1repl
|
||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||
index eb3849e..1e1adb8 100644
|
||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
||||
@@ -1801,3 +1801,15 @@ jobs:
|
||||
template: *ci-ipa-4-9-previous
|
||||
timeout: 5000
|
||||
topology: *master_2repl_1client
|
||||
+
|
||||
+ fedora-previous-ipa-4-9/test_ipalib_install:
|
||||
+ requires: [fedora-previous-ipa-4-9/build]
|
||||
+ priority: 50
|
||||
+ job:
|
||||
+ class: RunPytest
|
||||
+ args:
|
||||
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
|
||||
+ test_suite: test_ipalib_install/test_kinit.py
|
||||
+ template: *ci-ipa-4-9-previous
|
||||
+ timeout: 600
|
||||
+ topology: *master_1repl
|
||||
diff --git a/ipatests/setup.py b/ipatests/setup.py
|
||||
index 6217a1b..0aec4a7 100644
|
||||
--- a/ipatests/setup.py
|
||||
+++ b/ipatests/setup.py
|
||||
@@ -41,6 +41,7 @@ if __name__ == '__main__':
|
||||
"ipatests.test_integration",
|
||||
"ipatests.test_ipaclient",
|
||||
"ipatests.test_ipalib",
|
||||
+ "ipatests.test_ipalib_install",
|
||||
"ipatests.test_ipaplatform",
|
||||
"ipatests.test_ipapython",
|
||||
"ipatests.test_ipaserver",
|
||||
diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py
|
||||
new file mode 100644
|
||||
index 0000000..e69de29
|
||||
--- /dev/null
|
||||
+++ b/ipatests/test_ipalib_install/__init__.py
|
||||
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
|
||||
new file mode 100644
|
||||
index 0000000..f89ea17
|
||||
--- /dev/null
|
||||
+++ b/ipatests/test_ipalib_install/test_kinit.py
|
||||
@@ -0,0 +1,29 @@
|
||||
+#
|
||||
+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
|
||||
+#
|
||||
+"""Tests for ipalib.install.kinit module
|
||||
+"""
|
||||
+
|
||||
+import pytest
|
||||
+
|
||||
+from ipalib.install.kinit import validate_principal
|
||||
+
|
||||
+
|
||||
+# None means no exception is expected
|
||||
+@pytest.mark.parametrize('principal, exception', [
|
||||
+ ('testuser', None),
|
||||
+ ('testuser@EXAMPLE.TEST', None),
|
||||
+ ('test/ipa.example.test', None),
|
||||
+ ('test/ipa.example.test@EXAMPLE.TEST', None),
|
||||
+ ('test/ipa@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test /ipa.example,test', RuntimeError),
|
||||
+ ('testuser@OTHER.TEST', RuntimeError),
|
||||
+ ('test/ipa.example.test@OTHER.TEST', RuntimeError),
|
||||
+])
|
||||
+def test_validate_principal(principal, exception):
|
||||
+ try:
|
||||
+ validate_principal(principal)
|
||||
+ except Exception as e:
|
||||
+ assert e.__class__ == exception
|
||||
|
||||
From 96a478bbedd49c31e0f078f00f2d1cb55bb952fd Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Feb 23 2024 09:49:27 +0000
|
||||
Subject: validate_principal: Don't try to verify that the realm is known
|
||||
|
||||
|
||||
The actual value is less important than whether it matches the
|
||||
regular expression. A number of legal but difficult to know in
|
||||
context realms could be passed in here (trust for example).
|
||||
|
||||
This fixes CVE-2024-1481
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9541
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
||||
index 4ad4eaa..d5fb56b 100644
|
||||
--- a/ipalib/install/kinit.py
|
||||
+++ b/ipalib/install/kinit.py
|
||||
@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
|
||||
from ipapython.ipautil import run
|
||||
from ipalib.constants import PATTERN_GROUPUSER_NAME
|
||||
from ipalib.util import validate_hostname
|
||||
-from ipalib import api
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
@@ -39,7 +38,9 @@ def validate_principal(principal):
|
||||
if ('/' in principal) and (' ' in principal):
|
||||
raise RuntimeError('Invalid principal: bad spacing')
|
||||
else:
|
||||
- realm = None
|
||||
+ # For a user match in the regex
|
||||
+ # username = match[1]
|
||||
+ # realm = match[2]
|
||||
match = user_pattern.match(principal)
|
||||
if match is None:
|
||||
match = service_pattern.match(principal)
|
||||
@@ -48,16 +49,11 @@ def validate_principal(principal):
|
||||
else:
|
||||
# service = match[1]
|
||||
hostname = match[2]
|
||||
- realm = match[3]
|
||||
+ # realm = match[3]
|
||||
try:
|
||||
validate_hostname(hostname)
|
||||
except ValueError as e:
|
||||
raise RuntimeError(str(e))
|
||||
- else: # user match, validate realm
|
||||
- # username = match[1]
|
||||
- realm = match[2]
|
||||
- if realm and 'realm' in api.env and realm != api.env.realm:
|
||||
- raise RuntimeError('Invalid principal: realm mismatch')
|
||||
|
||||
|
||||
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
||||
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
|
||||
index f89ea17..8289c4b 100644
|
||||
--- a/ipatests/test_ipalib_install/test_kinit.py
|
||||
+++ b/ipatests/test_ipalib_install/test_kinit.py
|
||||
@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
|
||||
('test/ipa.example.test@EXAMPLE.TEST', None),
|
||||
('test/ipa@EXAMPLE.TEST', RuntimeError),
|
||||
('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
|
||||
- ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
|
||||
+ ('test/ipa.1example.test@EXAMPLE.TEST', None),
|
||||
('test /ipa.example,test', RuntimeError),
|
||||
- ('testuser@OTHER.TEST', RuntimeError),
|
||||
- ('test/ipa.example.test@OTHER.TEST', RuntimeError),
|
||||
+ ('testuser@OTHER.TEST', None),
|
||||
+ ('test/ipa.example.test@OTHER.TEST', None)
|
||||
])
|
||||
def test_validate_principal(principal, exception):
|
||||
try:
|
||||
validate_principal(principal)
|
||||
except Exception as e:
|
||||
assert e.__class__ == exception
|
||||
+ else:
|
||||
+ if exception is not None:
|
||||
+ raise RuntimeError('Test should have failed')
|
||||
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001
|
||||
From: Rob Crittenden <rcritten@redhat.com>
|
||||
Date: Mar 06 2024 08:34:57 +0000
|
||||
Subject: Vault: add additional fallback to RSA-OAEP wrapping algo
|
||||
|
||||
|
||||
There is a fallback when creating the wrapping key but one was missing
|
||||
when trying to use the cached transport_cert.
|
||||
|
||||
This allows, along with forcing keyWrap.useOAEP=true, vault creation
|
||||
on an nCipher HSM.
|
||||
|
||||
This can be seen in HSMs where the device doesn't support the
|
||||
PKCS#1 v1.5 mechanism. It will error out with either "invalid
|
||||
algorithm" or CKR_FUNCTION_FAILED.
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9191
|
||||
|
||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
||||
index ed16c73..1523187 100644
|
||||
--- a/ipaclient/plugins/vault.py
|
||||
+++ b/ipaclient/plugins/vault.py
|
||||
@@ -757,8 +757,12 @@ class ModVaultData(Local):
|
||||
Calls the internal counterpart of the command.
|
||||
"""
|
||||
# try call with cached transport certificate
|
||||
- result = self._do_internal(algo, transport_cert, False,
|
||||
- False, *args, **options)
|
||||
+ try:
|
||||
+ result = self._do_internal(algo, transport_cert, False,
|
||||
+ False, *args, **options)
|
||||
+ except errors.EncodingError:
|
||||
+ result = self._do_internal(algo, transport_cert, False,
|
||||
+ True, *args, **options)
|
||||
if result is not None:
|
||||
return result
|
||||
|
||||
|
||||
|
|
@ -1,50 +0,0 @@
|
|||
From 656a11ae961f8d1afad54567cfe8ccb53e084a67 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Mar 20 2024 10:06:07 +0000
|
||||
Subject: dcerpc: invalidate forest trust info cache when filtering out realm domains
|
||||
|
||||
|
||||
When get_realmdomains() method is called, it will filter out subdomains
|
||||
of the IPA primary domain. This is required because Active Directory
|
||||
domain controllers are assuming subdomains already covered by the main
|
||||
domain namespace.
|
||||
|
||||
[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
|
||||
method of validating the forest trust information. They are the same as
|
||||
rules in [MS-ADTS] section 6.1.6. Specifically,
|
||||
|
||||
- A top-level name must not be superior to an enabled top-level name
|
||||
for another trusted domain object, unless the current trusted domain
|
||||
object has a corresponding exclusion record.
|
||||
|
||||
In practice, we filtered those subdomains already but the code wasn't
|
||||
invalidating a previously retrieved forest trust information.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9551
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
||||
index b6139db..7ee553d 100644
|
||||
--- a/ipaserver/dcerpc.py
|
||||
+++ b/ipaserver/dcerpc.py
|
||||
@@ -1103,6 +1103,7 @@ class TrustDomainInstance:
|
||||
|
||||
info.count = len(ftinfo_records)
|
||||
info.entries = ftinfo_records
|
||||
+ another_domain.ftinfo_data = info
|
||||
return info
|
||||
|
||||
def clear_ftinfo_conflict(self, another_domain, cinfo):
|
||||
@@ -1778,6 +1779,7 @@ class TrustDomainJoins:
|
||||
return
|
||||
|
||||
self.local_domain.ftinfo_records = []
|
||||
+ self.local_domain.ftinfo_data = None
|
||||
|
||||
realm_domains = self.api.Command.realmdomains_show()['result']
|
||||
# Use realmdomains' modification timestamp
|
||||
|
||||
|
|
@ -1,335 +0,0 @@
|
|||
From 3bba254ccdcf9b62fdd8a6d71baecf37c97c300c Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mon, 3 Apr 2023 08:37:28 +0200
|
||||
Subject: [PATCH] ipatests: mark known failures for autoprivategroup
|
||||
|
||||
Two tests have known issues in test_trust.py with sssd 2.8.2+:
|
||||
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
|
||||
(when called with the "hybrid" parameter)
|
||||
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
|
||||
(when called with the "true" parameter)
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9295
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_trust.py | 17 ++++++++++++-----
|
||||
1 file changed, 12 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||
index 0d5b71cb0..12f000c1a 100644
|
||||
--- a/ipatests/test_integration/test_trust.py
|
||||
+++ b/ipatests/test_integration/test_trust.py
|
||||
@@ -1154,11 +1154,15 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
||||
self.gid_override
|
||||
):
|
||||
self.mod_idrange_auto_private_group(type)
|
||||
- (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
||||
- assert (uid == self.uid_override and gid == self.gid_override)
|
||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
+ bad_version = sssd_version >= tasks.parse_version("2.8.2")
|
||||
+ cond = (type == 'hybrid') and bad_version
|
||||
+ with xfail_context(condition=cond,
|
||||
+ reason="https://pagure.io/freeipa/issue/9295"):
|
||||
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
||||
+ assert (uid == self.uid_override and gid == self.gid_override)
|
||||
test_group = self.clients[0].run_command(
|
||||
["id", nonposixuser]).stdout_text
|
||||
- # version = tasks.get_sssd_version(self.clients[0])
|
||||
with xfail_context(type == "hybrid",
|
||||
'https://github.com/SSSD/sssd/issues/5989'):
|
||||
assert "domain users@{0}".format(self.ad_domain) in test_group
|
||||
@@ -1232,8 +1236,11 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
||||
posixuser = "testuser1@%s" % self.ad_domain
|
||||
self.mod_idrange_auto_private_group(type)
|
||||
if type == "true":
|
||||
- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||
- assert uid == gid
|
||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
+ with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
|
||||
+ "https://pagure.io/freeipa/issue/9295"):
|
||||
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||
+ assert uid == gid
|
||||
else:
|
||||
for host in [self.master, self.clients[0]]:
|
||||
result = host.run_command(['id', posixuser], raiseonerr=False)
|
||||
--
|
||||
2.44.0
|
||||
|
||||
From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Feb 12 2024 10:43:39 +0000
|
||||
Subject: ipatests: add xfail for autoprivate group test with override
|
||||
|
||||
|
||||
Because of SSSD issue 7169, secondary groups are not
|
||||
retrieved when autoprivate group is set and an idoverride
|
||||
replaces the user's primary group.
|
||||
Mark the known issues as xfail.
|
||||
|
||||
Related: https://github.com/SSSD/sssd/issues/7169
|
||||
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||
index 3b9f0fb..2b94514 100644
|
||||
--- a/ipatests/test_integration/test_trust.py
|
||||
+++ b/ipatests/test_integration/test_trust.py
|
||||
@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
||||
assert (uid == self.uid_override and gid == self.gid_override)
|
||||
test_group = self.clients[0].run_command(
|
||||
["id", nonposixuser]).stdout_text
|
||||
- with xfail_context(type == "hybrid",
|
||||
- 'https://github.com/SSSD/sssd/issues/5989'):
|
||||
+ cond2 = ((type == 'false'
|
||||
+ and sssd_version >= tasks.parse_version("2.9.4"))
|
||||
+ or type == 'hybrid')
|
||||
+ with xfail_context(cond2,
|
||||
+ 'https://github.com/SSSD/sssd/issues/5989 '
|
||||
+ 'and 7169'):
|
||||
assert "domain users@{0}".format(self.ad_domain) in test_group
|
||||
|
||||
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
||||
@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
||||
assert(uid == self.uid_override
|
||||
and gid == self.gid_override)
|
||||
result = self.clients[0].run_command(['id', posixuser])
|
||||
- assert "10047(testgroup@{0})".format(
|
||||
- self.ad_domain) in result.stdout_text
|
||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
+ bad_version = sssd_version >= tasks.parse_version("2.9.4")
|
||||
+ with xfail_context(bad_version and type in ('false', 'hybrid'),
|
||||
+ "https://github.com/SSSD/sssd/issues/7169"):
|
||||
+ assert "10047(testgroup@{0})".format(
|
||||
+ self.ad_domain) in result.stdout_text
|
||||
|
||||
From d5392300d77170ea3202ee80690ada8bf81b60b5 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Feb 12 2024 10:44:47 +0000
|
||||
Subject: ipatests: remove xfail thanks to sssd 2.9.4
|
||||
|
||||
|
||||
SSSD 2.9.4 fixes some issues related to auto-private-group
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9295
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Anuja More <amore@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||
index 12f000c..3b9f0fb 100644
|
||||
--- a/ipatests/test_integration/test_trust.py
|
||||
+++ b/ipatests/test_integration/test_trust.py
|
||||
@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
||||
):
|
||||
self.mod_idrange_auto_private_group(type)
|
||||
sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
- bad_version = sssd_version >= tasks.parse_version("2.8.2")
|
||||
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
|
||||
+ < tasks.parse_version("2.9.4"))
|
||||
cond = (type == 'hybrid') and bad_version
|
||||
with xfail_context(condition=cond,
|
||||
reason="https://pagure.io/freeipa/issue/9295"):
|
||||
@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
||||
self.mod_idrange_auto_private_group(type)
|
||||
if type == "true":
|
||||
sssd_version = tasks.get_sssd_version(self.clients[0])
|
||||
- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
|
||||
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
|
||||
+ < tasks.parse_version("2.9.4"))
|
||||
+ with xfail_context(bad_version,
|
||||
"https://pagure.io/freeipa/issue/9295"):
|
||||
(uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
||||
assert uid == gid
|
||||
|
||||
From 34d048ede0c439b3a53e02f8ace96ff91aa1609d Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Mar 14 2023 16:50:25 +0000
|
||||
Subject: ipatests: adapt for new automembership fixup behavior
|
||||
|
||||
|
||||
The automembership fixup task now needs to be called
|
||||
with --cleanup argument when the user expects automember
|
||||
to remove user/hosts from automember groups.
|
||||
Update the test to call create a cleanup task equivalent to
|
||||
dsconf plugin automember fixup --cleanup
|
||||
when it is needed.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9313
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipatests/test_integration/test_automember.py b/ipatests/test_integration/test_automember.py
|
||||
index 7acd0d7..8b27f4d 100644
|
||||
--- a/ipatests/test_integration/test_automember.py
|
||||
+++ b/ipatests/test_integration/test_automember.py
|
||||
@@ -4,6 +4,7 @@
|
||||
"""This covers tests for automemberfeature."""
|
||||
|
||||
from __future__ import absolute_import
|
||||
+import uuid
|
||||
|
||||
from ipapython.dn import DN
|
||||
|
||||
@@ -211,11 +212,27 @@ class TestAutounmembership(IntegrationTest):
|
||||
# Running automember-build so that user is part of correct group
|
||||
result = self.master.run_command(['ipa', 'automember-rebuild',
|
||||
'--users=%s' % user2])
|
||||
+ assert msg in result.stdout_text
|
||||
+
|
||||
+ # The additional --cleanup argument is required
|
||||
+ cleanup_ldif = (
|
||||
+ "dn: cn={cn},cn=automember rebuild membership,"
|
||||
+ "cn=tasks,cn=config\n"
|
||||
+ "changetype: add\n"
|
||||
+ "objectclass: top\n"
|
||||
+ "objectclass: extensibleObject\n"
|
||||
+ "basedn: cn=users,cn=accounts,{suffix}\n"
|
||||
+ "filter: (uid={user})\n"
|
||||
+ "cleanup: yes\n"
|
||||
+ "scope: sub"
|
||||
+ ).format(cn=str(uuid.uuid4()),
|
||||
+ suffix=str(self.master.domain.basedn),
|
||||
+ user=user2)
|
||||
+ tasks.ldapmodify_dm(self.master, cleanup_ldif)
|
||||
+
|
||||
assert self.is_user_member_of_group(user2, group2)
|
||||
assert not self.is_user_member_of_group(user2, group1)
|
||||
|
||||
- assert msg in result.stdout_text
|
||||
-
|
||||
finally:
|
||||
# testcase cleanup
|
||||
self.remove_user_automember(user2, raiseonerr=False)
|
||||
@@ -248,11 +265,27 @@ class TestAutounmembership(IntegrationTest):
|
||||
result = self.master.run_command(
|
||||
['ipa', 'automember-rebuild', '--hosts=%s' % host2]
|
||||
)
|
||||
+ assert msg in result.stdout_text
|
||||
+
|
||||
+ # The additional --cleanup argument is required
|
||||
+ cleanup_ldif = (
|
||||
+ "dn: cn={cn},cn=automember rebuild membership,"
|
||||
+ "cn=tasks,cn=config\n"
|
||||
+ "changetype: add\n"
|
||||
+ "objectclass: top\n"
|
||||
+ "objectclass: extensibleObject\n"
|
||||
+ "basedn: cn=computers,cn=accounts,{suffix}\n"
|
||||
+ "filter: (fqdn={fqdn})\n"
|
||||
+ "cleanup: yes\n"
|
||||
+ "scope: sub"
|
||||
+ ).format(cn=str(uuid.uuid4()),
|
||||
+ suffix=str(self.master.domain.basedn),
|
||||
+ fqdn=host2)
|
||||
+ tasks.ldapmodify_dm(self.master, cleanup_ldif)
|
||||
+
|
||||
assert self.is_host_member_of_hostgroup(host2, hostgroup2)
|
||||
assert not self.is_host_member_of_hostgroup(host2, hostgroup1)
|
||||
|
||||
- assert msg in result.stdout_text
|
||||
-
|
||||
finally:
|
||||
# testcase cleanup
|
||||
self.remove_host_automember(host2, raiseonerr=False)
|
||||
|
||||
From 9b777390fbb6d4c683bf7d3e5f74d5443209b1d5 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 24 Mar 2023 08:15:00 +0200
|
||||
Subject: [PATCH] test_xmlrpc: adopt to automember plugin message changes in
|
||||
389-ds
|
||||
|
||||
Another change in automember plugin messaging that breaks FreeIPA tests.
|
||||
Use common substring to match.
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_xmlrpc/xmlrpc_test.py | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
|
||||
index cf11721bfca..5fe1245dc65 100644
|
||||
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
|
||||
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
|
||||
@@ -64,7 +64,7 @@ def test(xs):
|
||||
|
||||
# Matches an automember task finish message
|
||||
fuzzy_automember_message = Fuzzy(
|
||||
- r'^Automember rebuild task finished\. Processed \(\d+\) entries\.$'
|
||||
+ r'^Automember rebuild task finished\. Processed \(\d+\) entries'
|
||||
)
|
||||
|
||||
# Matches trusted domain GUID, like u'463bf2be-3456-4a57-979e-120304f2a0eb'
|
||||
From 8e8b97a2251329aec9633a5c7c644bc5034bc8c2 Mon Sep 17 00:00:00 2001
|
||||
From: Sudhir Menon <sumenon@redhat.com>
|
||||
Date: Wed, 20 Mar 2024 14:29:46 +0530
|
||||
Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
|
||||
testcases.
|
||||
|
||||
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
|
||||
which causes error in STIG mode.
|
||||
|
||||
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
|
||||
Incorrect password/PIN entered.
|
||||
|
||||
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
|
||||
|
||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
index 8aae9fad776..a96de7088aa 100644
|
||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
||||
@@ -2731,17 +2731,18 @@ def remove_server_cert(self):
|
||||
Fixture to remove Server cert and revert the change.
|
||||
"""
|
||||
instance = realm_to_serverid(self.master.domain.realm)
|
||||
+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
self.master.run_command(
|
||||
[
|
||||
"certutil",
|
||||
"-L",
|
||||
"-d",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
||||
+ instance_dir,
|
||||
"-n",
|
||||
"Server-Cert",
|
||||
"-a",
|
||||
"-o",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
+ instance_dir
|
||||
+ "/Server-Cert.pem",
|
||||
]
|
||||
)
|
||||
@@ -2760,15 +2761,15 @@ def remove_server_cert(self):
|
||||
[
|
||||
"certutil",
|
||||
"-d",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
||||
+ instance_dir,
|
||||
"-A",
|
||||
"-i",
|
||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
||||
+ instance_dir
|
||||
+ "/Server-Cert.pem",
|
||||
"-t",
|
||||
"u,u,u",
|
||||
"-f",
|
||||
- paths.IPA_NSSDB_PWDFILE_TXT,
|
||||
+ "%s/pwdfile.txt" % instance_dir,
|
||||
"-n",
|
||||
"Server-Cert",
|
||||
]
|
||||
|
|
@ -1,341 +0,0 @@
|
|||
From 0a48726e104282fb40d8f471ebb306bc9134cb0c Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Tue, 19 Mar 2024 12:24:40 +0100
|
||||
Subject: [PATCH] kdb: fix vulnerability in GCD rules handling
|
||||
|
||||
The initial implementation of MS-SFU by MIT Kerberos was missing some
|
||||
a condition for granting the "forwardable" flag on S4U2Self tickets.
|
||||
Fixing this mistake required to add a special case for the
|
||||
check_allowed_to_delegate() function: if the target service argument is
|
||||
NULL, then it means the KDC is probing for general constrained
|
||||
delegation rules, not actually checking a specific S4U2Proxy request.
|
||||
|
||||
In commit e86807b5, the behavior of ipadb_match_acl() was modified to
|
||||
match the changes from upstream MIT Kerberos a441fbe3. However, a
|
||||
mistake resulted in this mechanism to apply in cases where target
|
||||
service argument is set AND unset. This results in S4U2Proxy requests to
|
||||
be accepted regardless of the fact there is a matching service
|
||||
delegation rule or not.
|
||||
|
||||
This vulnerability does not affect services having RBCD (resource-based
|
||||
constrained delegation) rules.
|
||||
|
||||
This fixes CVE-2024-2698
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/README.s4u2proxy.txt | 19 ++-
|
||||
daemons/ipa-kdb/ipa_kdb_delegation.c | 191 +++++++++++++++------------
|
||||
2 files changed, 118 insertions(+), 92 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/README.s4u2proxy.txt b/daemons/ipa-kdb/README.s4u2proxy.txt
|
||||
index 254fcc4d1..ab34aff36 100644
|
||||
--- a/daemons/ipa-kdb/README.s4u2proxy.txt
|
||||
+++ b/daemons/ipa-kdb/README.s4u2proxy.txt
|
||||
@@ -12,9 +12,7 @@ much more easily managed.
|
||||
|
||||
The grouping mechanism has been built so that lookup is highly optimized
|
||||
and is basically reduced to a single search that uses the derefernce
|
||||
-control. Speed is very important in this case because KDC operations
|
||||
-time out very quickly and unless we add a caching layer in ipa-kdb we
|
||||
-must keep the number of searches down to avoid client timeouts.
|
||||
+control.
|
||||
|
||||
The grouping mechanism is very simple a groupOfPrincipals object is
|
||||
introduced, this Auxiliary class have a single optional attribute called
|
||||
@@ -112,8 +110,7 @@ kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.example.com
|
||||
kvno -U admin HTTP/ipaserver.example.com
|
||||
|
||||
# Perform S4U2Proxy
|
||||
-kvno -k /etc/httpd/conf/ipa.keytab -U admin -P HTTP/ipaserver.example.com
|
||||
-ldap/ipaserver.example.com
|
||||
+kvno -U admin -P ldap/ipaserver.example.com
|
||||
|
||||
|
||||
If this works it means you successfully impersonated the admin user with
|
||||
@@ -125,6 +122,18 @@ modprinc -ok_to_auth_as_delegate HTTP/ipaserver.example.com
|
||||
Simo.
|
||||
|
||||
|
||||
+If IPA is compiled with krb5 1.20 and newer (KDB DAL >= 9), then the
|
||||
+behavior of S4U2Self changes: S4U2Self TGS-REQs produce forwardable
|
||||
+tickets for all requesters, except if the requester principal is set as
|
||||
+the proxy (impersonating service) in at least one `servicedelegation`
|
||||
+rule. In this case, even if the rule has no target, the KDC will
|
||||
+response to S4U2Self requests with a non-forwardable ticket. Hence,
|
||||
+granting the `ok_to_auth_as_delegate` permission to the proxy service
|
||||
+remains the only way for this service to obtain the evidence ticket
|
||||
+required for general constrained delegation requests if this ticket is
|
||||
+not provided by the client.
|
||||
+
|
||||
+
|
||||
[1]
|
||||
Note that here I use the term proxy in a different way than it is used in
|
||||
the krb interfaces. It may seem a bit confusing but I think people will
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c
|
||||
index de82174ad..3581f3c79 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_delegation.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c
|
||||
@@ -91,120 +91,110 @@ static bool ipadb_match_member(char *princ, LDAPDerefRes *dres)
|
||||
return false;
|
||||
}
|
||||
|
||||
-static krb5_error_code ipadb_match_acl(krb5_context kcontext,
|
||||
- LDAPMessage *results,
|
||||
- krb5_const_principal client,
|
||||
- krb5_const_principal target)
|
||||
+#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
|
||||
+static krb5_error_code
|
||||
+ipadb_has_acl(krb5_context kcontext, LDAPMessage *ldap_acl, bool *res)
|
||||
{
|
||||
struct ipadb_context *ipactx;
|
||||
- krb5_error_code kerr;
|
||||
- LDAPMessage *lentry;
|
||||
- LDAPDerefRes *deref_results;
|
||||
- LDAPDerefRes *dres;
|
||||
- char *client_princ = NULL;
|
||||
- char *target_princ = NULL;
|
||||
- bool client_missing;
|
||||
- bool client_found;
|
||||
- bool target_found;
|
||||
- bool is_constraint_delegation = false;
|
||||
- size_t nrules = 0;
|
||||
- int ret;
|
||||
+ bool in_res = false;
|
||||
+ krb5_error_code kerr = 0;
|
||||
|
||||
ipactx = ipadb_get_context(kcontext);
|
||||
- if (!ipactx) {
|
||||
+ if (!ipactx)
|
||||
return KRB5_KDB_DBNOTINITED;
|
||||
- }
|
||||
|
||||
- if ((client != NULL) && (target != NULL)) {
|
||||
- kerr = krb5_unparse_name(kcontext, client, &client_princ);
|
||||
- if (kerr != 0) {
|
||||
- goto done;
|
||||
- }
|
||||
- kerr = krb5_unparse_name(kcontext, target, &target_princ);
|
||||
- if (kerr != 0) {
|
||||
- goto done;
|
||||
- }
|
||||
- } else {
|
||||
- is_constraint_delegation = true;
|
||||
+ switch (ldap_count_entries(ipactx->lcontext, ldap_acl)) {
|
||||
+ case 0:
|
||||
+ break;
|
||||
+ case -1:
|
||||
+ kerr = EINVAL;
|
||||
+ goto end;
|
||||
+ default:
|
||||
+ in_res = true;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
- lentry = ldap_first_entry(ipactx->lcontext, results);
|
||||
- if (!lentry) {
|
||||
- kerr = ENOENT;
|
||||
- goto done;
|
||||
- }
|
||||
+end:
|
||||
+ if (res)
|
||||
+ *res = in_res;
|
||||
+
|
||||
+ return kerr;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+static krb5_error_code
|
||||
+ipadb_match_acl(krb5_context kcontext, LDAPMessage *ldap_acl,
|
||||
+ krb5_const_principal client, krb5_const_principal target)
|
||||
+{
|
||||
+ struct ipadb_context *ipactx;
|
||||
+ LDAPMessage *rule;
|
||||
+ LDAPDerefRes *acis, *aci;
|
||||
+ char *client_princ = NULL, *target_princ= NULL;
|
||||
+ bool client_missing, client_found, target_found;
|
||||
+ int lerr;
|
||||
+ krb5_error_code kerr;
|
||||
+
|
||||
+ ipactx = ipadb_get_context(kcontext);
|
||||
+ if (!ipactx)
|
||||
+ return KRB5_KDB_DBNOTINITED;
|
||||
+
|
||||
+ kerr = krb5_unparse_name(kcontext, client, &client_princ);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ kerr = krb5_unparse_name(kcontext, target, &target_princ);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
|
||||
/* the default is that we fail */
|
||||
- kerr = ENOENT;
|
||||
+ kerr = KRB5KDC_ERR_BADOPTION;
|
||||
|
||||
- while (lentry) {
|
||||
+ for (rule = ldap_first_entry(ipactx->lcontext, ldap_acl);
|
||||
+ rule;
|
||||
+ rule = ldap_next_entry(ipactx->lcontext, rule))
|
||||
+ {
|
||||
/* both client and target must be found in the same ACI */
|
||||
client_missing = true;
|
||||
client_found = false;
|
||||
target_found = false;
|
||||
|
||||
- ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry,
|
||||
- &deref_results);
|
||||
- switch (ret) {
|
||||
+ lerr = ipadb_ldap_deref_results(ipactx->lcontext, rule, &acis);
|
||||
+ switch (lerr) {
|
||||
case 0:
|
||||
- for (dres = deref_results; dres; dres = dres->next) {
|
||||
- nrules++;
|
||||
- if (is_constraint_delegation) {
|
||||
- /*
|
||||
- Microsoft revised the S4U2Proxy rules for forwardable
|
||||
- tickets. All S4U2Proxy operations require forwardable
|
||||
- evidence tickets, but S4U2Self should issue a
|
||||
- forwardable ticket if the requesting service has no
|
||||
- ok-to-auth-as-delegate bit but also no constrained
|
||||
- delegation privileges for traditional S4U2Proxy.
|
||||
- Implement these rules, extending the
|
||||
- check_allowed_to_delegate() DAL method so that the KDC
|
||||
- can ask if a principal has any delegation privileges.
|
||||
-
|
||||
- Since target principal is NULL and client principal is
|
||||
- NULL in this case, we simply calculate number of rules associated
|
||||
- with the server principal to decide whether to deny forwardable bit
|
||||
- */
|
||||
- continue;
|
||||
- }
|
||||
- if (client_found == false &&
|
||||
- strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) {
|
||||
+ for (aci = acis; aci; aci = aci->next) {
|
||||
+ if (!client_found &&
|
||||
+ 0 == strcasecmp(aci->derefAttr, "ipaAllowToImpersonate"))
|
||||
+ {
|
||||
/* NOTE: client_missing is used to signal that the
|
||||
* attribute was completely missing. This signals that
|
||||
* ANY client is allowed to be impersonated.
|
||||
* This logic is valid only for clients, not for targets */
|
||||
client_missing = false;
|
||||
- client_found = ipadb_match_member(client_princ, dres);
|
||||
+ client_found = ipadb_match_member(client_princ, aci);
|
||||
}
|
||||
- if (target_found == false &&
|
||||
- strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) {
|
||||
- target_found = ipadb_match_member(target_princ, dres);
|
||||
+ if (!target_found &&
|
||||
+ 0 == strcasecmp(aci->derefAttr, "ipaAllowedTarget"))
|
||||
+ {
|
||||
+ target_found = ipadb_match_member(target_princ, aci);
|
||||
}
|
||||
}
|
||||
|
||||
- ldap_derefresponse_free(deref_results);
|
||||
+ ldap_derefresponse_free(acis);
|
||||
break;
|
||||
case ENOENT:
|
||||
break;
|
||||
default:
|
||||
- kerr = ret;
|
||||
- goto done;
|
||||
+ kerr = lerr;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
- if ((client_found == true || client_missing == true) &&
|
||||
- target_found == true) {
|
||||
+ if ((client_found || client_missing) && target_found) {
|
||||
kerr = 0;
|
||||
- goto done;
|
||||
+ goto end;
|
||||
}
|
||||
-
|
||||
- lentry = ldap_next_entry(ipactx->lcontext, lentry);
|
||||
- }
|
||||
-
|
||||
- if (nrules > 0) {
|
||||
- kerr = 0;
|
||||
}
|
||||
|
||||
-done:
|
||||
+end:
|
||||
krb5_free_unparsed_name(kcontext, client_princ);
|
||||
krb5_free_unparsed_name(kcontext, target_princ);
|
||||
return kerr;
|
||||
@@ -223,7 +213,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
|
||||
char *srv_principal = NULL;
|
||||
krb5_db_entry *proxy_entry = NULL;
|
||||
struct ipadb_e_data *ied_server, *ied_proxy;
|
||||
- LDAPMessage *res = NULL;
|
||||
+ LDAPMessage *ldap_gcd_acl = NULL;
|
||||
|
||||
if (proxy != NULL) {
|
||||
/* Handle the case where server == proxy, this is allowed in S4U */
|
||||
@@ -261,26 +251,53 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
|
||||
goto done;
|
||||
}
|
||||
|
||||
- kerr = ipadb_get_delegation_acl(kcontext, srv_principal, &res);
|
||||
+ /* Load general constrained delegation rules */
|
||||
+ kerr = ipadb_get_delegation_acl(kcontext, srv_principal, &ldap_gcd_acl);
|
||||
if (kerr) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
- kerr = ipadb_match_acl(kcontext, res, client, proxy);
|
||||
- if (kerr) {
|
||||
- goto done;
|
||||
+#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
|
||||
+ /*
|
||||
+ * Microsoft revised the S4U2Proxy rules for forwardable tickets. All
|
||||
+ * S4U2Proxy operations require forwardable evidence tickets, but
|
||||
+ * S4U2Self should issue a forwardable ticket if the requesting service
|
||||
+ * has no ok-to-auth-as-delegate bit but also no constrained delegation
|
||||
+ * privileges for traditional S4U2Proxy. Implement these rules,
|
||||
+ * extending the check_allowed_to_delegate() DAL method so that the KDC
|
||||
+ * can ask if a principal has any delegation privileges.
|
||||
+ *
|
||||
+ * If target service principal is NULL, and the impersonating service has
|
||||
+ * at least one GCD rule, then succeed.
|
||||
+ */
|
||||
+ if (!proxy) {
|
||||
+ bool has_gcd_rules;
|
||||
+
|
||||
+ kerr = ipadb_has_acl(kcontext, ldap_gcd_acl, &has_gcd_rules);
|
||||
+ if (!kerr)
|
||||
+ kerr = has_gcd_rules ? 0 : KRB5KDC_ERR_BADOPTION;
|
||||
+ } else if (client) {
|
||||
+#else
|
||||
+ if (client && proxy) {
|
||||
+#endif
|
||||
+ kerr = ipadb_match_acl(kcontext, ldap_gcd_acl, client, proxy);
|
||||
+ } else {
|
||||
+ /* client and/or proxy is missing */
|
||||
+ kerr = KRB5KDC_ERR_BADOPTION;
|
||||
}
|
||||
+ if (kerr)
|
||||
+ goto done;
|
||||
|
||||
done:
|
||||
if (kerr) {
|
||||
-#if KRB5_KDB_DAL_MAJOR_VERSION < 9
|
||||
- kerr = KRB5KDC_ERR_POLICY;
|
||||
-#else
|
||||
+#if KRB5_KDB_DAL_MAJOR_VERSION >= 9
|
||||
kerr = KRB5KDC_ERR_BADOPTION;
|
||||
+#else
|
||||
+ kerr = KRB5KDC_ERR_POLICY;
|
||||
#endif
|
||||
}
|
||||
ipadb_free_principal(kcontext, proxy_entry);
|
||||
krb5_free_unparsed_name(kcontext, srv_principal);
|
||||
- ldap_msgfree(res);
|
||||
+ ldap_msgfree(ldap_gcd_acl);
|
||||
return kerr;
|
||||
}
|
||||
--
|
||||
2.44.0
|
||||
|
||||
|
|
@ -1,548 +0,0 @@
|
|||
From 70d23b8f6bbcabe2eb621ffa5009866b43e5570a Mon Sep 17 00:00:00 2001
|
||||
From: Julien Rische <jrische@redhat.com>
|
||||
Date: Mon, 25 Mar 2024 18:25:52 +0200
|
||||
Subject: [PATCH] kdb: apply combinatorial logic for ticket flags
|
||||
|
||||
The initial design for ticket flags was implementing this logic:
|
||||
* If a ticket policy is defined for the principal entry, use flags from
|
||||
this policy if they are set. Otherwise, use default ticket flags.
|
||||
* If no ticket policy is defined for the principal entry, but there is a
|
||||
global one, use flags from the global ticket policy if they are set.
|
||||
Otherwise, use default ticket flags.
|
||||
* If no policy (principal nor global) is defined, use default ticket
|
||||
flags.
|
||||
|
||||
However, this logic was broken by a1165ffb which introduced creation of
|
||||
a principal-level ticket policy in case the ticket flag set is modified.
|
||||
This was typically the case for the -allow_tix flag, which was set
|
||||
virtually by the KDB driver when a user was locked until they initialize
|
||||
their password on first kinit pre-authentication.
|
||||
|
||||
This was causing multiple issues, which are mitigated by the new
|
||||
approach:
|
||||
|
||||
Now flags from each level are combined together. There flags like
|
||||
+requires_preauth which are set systematically by the KDB diver, as
|
||||
well as -allow_tix which is set based on the value of "nsAccountLock".
|
||||
This commit also adds the implicit -allow_svr ticket flag for user
|
||||
principals to protect users against Kerberoast-type attacks. None of
|
||||
these flags are stored in the LDAP database, they are hard-coded in the
|
||||
KDB driver.
|
||||
|
||||
In addition to these "virtual" ticket flags, flags from both global and
|
||||
principal ticket policies are applied (if these policies exist).
|
||||
|
||||
Principal ticket policies are not supported for hosts and services, but
|
||||
this is only an HTTP API limitation. The "krbTicketPolicyAux" object
|
||||
class is supported for all account types. This is required for ticket
|
||||
flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa
|
||||
host-mod" and "ipa serivce-mod", or using kadmin's "modprinc".
|
||||
|
||||
It is possible to ignore flags from the global ticket policy or default
|
||||
flags like -allow_svr for a user principal by setting the
|
||||
"final_user_tkt_flags" string attribute to "true" in kadmin. In this
|
||||
case, any ticket flag can be configured in the principal ticket policy,
|
||||
except requires_preauth and allow_tix.
|
||||
|
||||
This fixes CVE-2024-3183
|
||||
|
||||
Signed-off-by: Julien Rische <jrische@redhat.com>
|
||||
---
|
||||
daemons/ipa-kdb/ipa_kdb.h | 43 ++++
|
||||
daemons/ipa-kdb/ipa_kdb_principals.c | 306 ++++++++++++++++++++++-----
|
||||
util/ipa_krb5.c | 18 ++
|
||||
util/ipa_krb5.h | 4 +
|
||||
4 files changed, 319 insertions(+), 52 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
|
||||
index 7baf4697f..85cabe142 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb.h
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb.h
|
||||
@@ -94,6 +94,34 @@
|
||||
#define IPA_KRB_AUTHZ_DATA_ATTR "ipaKrbAuthzData"
|
||||
#define IPA_USER_AUTH_TYPE "ipaUserAuthType"
|
||||
|
||||
+/* Virtual managed ticket flags like "-allow_tix", are always controlled by the
|
||||
+ * "nsAccountLock" attribute, such flags should never be set in the database.
|
||||
+ * The following expression combine all of them, and is used to filter them
|
||||
+ * out. */
|
||||
+#define IPA_KDB_TKTFLAGS_VIRTUAL_MANAGED_ALL (KRB5_KDB_DISALLOW_ALL_TIX)
|
||||
+
|
||||
+/* Virtual static ticket flags are hard-coded in the KDB driver. */
|
||||
+/* Virtual static mandatory flags are set systematically and implicitly for all
|
||||
+ * principals. They are filtered out from database ticket flags updates.
|
||||
+ * (However, "KRB5_KDB_REQUIRES_PRE_AUTH" can still be unset by the
|
||||
+ * "KDC:Disable Default Preauth for SPNs" global setting) */
|
||||
+#define IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_MANDATORY (KRB5_KDB_REQUIRES_PRE_AUTH)
|
||||
+/* Virtual static default ticket flags are implicitly set for user and non-user
|
||||
+ * (SPN) principals, and not stored in the database.
|
||||
+ * (Except if the "IPA_KDB_STRATTR_FINAL_TKTFLAGS" string attribute is "true"
|
||||
+ * the principal) */
|
||||
+/* Virtual static default user ticket flags are set for users only. The
|
||||
+ * "-allow_svr" flag is set to protect them from CVE-2024-3183. */
|
||||
+#define IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_USER (KRB5_KDB_DISALLOW_SVR)
|
||||
+#define IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_SPN (0)
|
||||
+
|
||||
+/* If this string attribute is set to "true", then only the virtual managed and
|
||||
+ * virtual static mandatory ticket flags are applied and filtered out from
|
||||
+ * database read and write operations for the concerned user principal.
|
||||
+ * Configurable principal ticket flags are applied, but not the configurable
|
||||
+ * global ticket policy flags. */
|
||||
+#define IPA_KDB_STRATTR_FINAL_USER_TKTFLAGS "final_user_tkt_flags"
|
||||
+
|
||||
struct ipadb_mspac;
|
||||
struct dom_sid;
|
||||
|
||||
@@ -178,6 +206,21 @@ struct ipadb_e_data {
|
||||
struct dom_sid *sid;
|
||||
};
|
||||
|
||||
+inline static krb5_error_code
|
||||
+ipadb_get_edata(krb5_db_entry *entry, struct ipadb_e_data **ied)
|
||||
+{
|
||||
+ struct ipadb_e_data *in_ied;
|
||||
+
|
||||
+ in_ied = (struct ipadb_e_data *)entry->e_data;
|
||||
+ if (!in_ied || in_ied->magic != IPA_E_DATA_MAGIC)
|
||||
+ return EINVAL;
|
||||
+
|
||||
+ if (ied)
|
||||
+ *ied = in_ied;
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
struct ipadb_context *ipadb_get_context(krb5_context kcontext);
|
||||
int ipadb_get_connection(struct ipadb_context *ipactx);
|
||||
|
||||
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
index 07cc87746..cb18861bb 100644
|
||||
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
|
||||
@@ -706,9 +706,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
|
||||
"krbTicketFlags", &result);
|
||||
if (ret == 0) {
|
||||
entry->attributes = result;
|
||||
- } else {
|
||||
- *polmask |= TKTFLAGS_BIT;
|
||||
}
|
||||
+ /* Since principal, global policy, and virtual ticket flags are combined,
|
||||
+ * they must always be resolved. */
|
||||
+ *polmask |= TKTFLAGS_BIT;
|
||||
|
||||
ret = ipadb_ldap_attr_to_int(lcontext, lentry,
|
||||
"krbMaxTicketLife", &result);
|
||||
@@ -1251,23 +1252,150 @@ done:
|
||||
return ret;
|
||||
}
|
||||
|
||||
-static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx,
|
||||
- krb5_db_entry *entry)
|
||||
+static krb5_error_code
|
||||
+are_final_tktflags(struct ipadb_context *ipactx, krb5_db_entry *entry,
|
||||
+ bool *final_tktflags)
|
||||
{
|
||||
- const struct ipadb_global_config *config;
|
||||
+ krb5_error_code kerr;
|
||||
struct ipadb_e_data *ied;
|
||||
+ char *str = NULL;
|
||||
+ bool in_final_tktflags = false;
|
||||
|
||||
- config = ipadb_get_global_config(ipactx);
|
||||
- if (config && config->disable_preauth_for_spns) {
|
||||
- ied = (struct ipadb_e_data *)entry->e_data;
|
||||
- if (ied && ied->ipa_user != true) {
|
||||
- /* not a user, assume SPN */
|
||||
- return 0;
|
||||
- }
|
||||
+ kerr = ipadb_get_edata(entry, &ied);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ if (!ied->ipa_user) {
|
||||
+ kerr = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ kerr = krb5_dbe_get_string(ipactx->kcontext, entry,
|
||||
+ IPA_KDB_STRATTR_FINAL_USER_TKTFLAGS, &str);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ in_final_tktflags = str && ipa_krb5_parse_bool(str);
|
||||
+
|
||||
+end:
|
||||
+ if (final_tktflags)
|
||||
+ *final_tktflags = in_final_tktflags;
|
||||
+
|
||||
+ krb5_dbe_free_string(ipactx->kcontext, str);
|
||||
+ return kerr;
|
||||
+}
|
||||
+
|
||||
+static krb5_error_code
|
||||
+add_virtual_static_tktflags(struct ipadb_context *ipactx, krb5_db_entry *entry,
|
||||
+ krb5_flags *tktflags)
|
||||
+{
|
||||
+ krb5_error_code kerr;
|
||||
+ krb5_flags vsflg;
|
||||
+ bool final_tktflags;
|
||||
+ const struct ipadb_global_config *gcfg;
|
||||
+ struct ipadb_e_data *ied;
|
||||
+
|
||||
+ vsflg = IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_MANDATORY;
|
||||
+
|
||||
+ kerr = ipadb_get_edata(entry, &ied);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ kerr = are_final_tktflags(ipactx, entry, &final_tktflags);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ /* In practice, principal ticket flags cannot be final for SPNs. */
|
||||
+ if (!final_tktflags)
|
||||
+ vsflg |= ied->ipa_user ? IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_USER
|
||||
+ : IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_SPN;
|
||||
+
|
||||
+ if (!ied->ipa_user) {
|
||||
+ gcfg = ipadb_get_global_config(ipactx);
|
||||
+ if (gcfg && gcfg->disable_preauth_for_spns)
|
||||
+ vsflg &= ~KRB5_KDB_REQUIRES_PRE_AUTH;
|
||||
}
|
||||
|
||||
- /* By default require preauth for all principals */
|
||||
- return KRB5_KDB_REQUIRES_PRE_AUTH;
|
||||
+ if (tktflags)
|
||||
+ *tktflags |= vsflg;
|
||||
+
|
||||
+end:
|
||||
+ return kerr;
|
||||
+}
|
||||
+
|
||||
+static krb5_error_code
|
||||
+get_virtual_static_tktflags_mask(struct ipadb_context *ipactx,
|
||||
+ krb5_db_entry *entry, krb5_flags *mask)
|
||||
+{
|
||||
+ krb5_error_code kerr;
|
||||
+ krb5_flags flags = IPA_KDB_TKTFLAGS_VIRTUAL_MANAGED_ALL;
|
||||
+
|
||||
+ kerr = add_virtual_static_tktflags(ipactx, entry, &flags);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ if (mask)
|
||||
+ *mask = ~flags;
|
||||
+
|
||||
+ kerr = 0;
|
||||
+
|
||||
+end:
|
||||
+ return kerr;
|
||||
+}
|
||||
+
|
||||
+/* Add ticket flags from the global ticket policy if it exists, otherwise
|
||||
+ * succeed. If the global ticket policy is set, the "exists" parameter is set to
|
||||
+ * true. */
|
||||
+static krb5_error_code
|
||||
+add_global_ticket_policy_flags(struct ipadb_context *ipactx,
|
||||
+ bool *gtpol_exists, krb5_flags *tktflags)
|
||||
+{
|
||||
+ krb5_error_code kerr;
|
||||
+ char *policy_dn;
|
||||
+ char *tktflags_attr[] = { "krbticketflags", NULL };
|
||||
+ LDAPMessage *res = NULL, *first;
|
||||
+ int ec, ldap_tktflags;
|
||||
+ bool in_gtpol_exists = false;
|
||||
+
|
||||
+ ec = asprintf(&policy_dn, "cn=%s,cn=kerberos,%s", ipactx->realm,
|
||||
+ ipactx->base);
|
||||
+ if (-1 == ec) {
|
||||
+ kerr = ENOMEM;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ kerr = ipadb_simple_search(ipactx, policy_dn, LDAP_SCOPE_BASE,
|
||||
+ "(objectclass=krbticketpolicyaux)",
|
||||
+ tktflags_attr, &res);
|
||||
+ if (kerr) {
|
||||
+ if (KRB5_KDB_NOENTRY == kerr)
|
||||
+ kerr = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ first = ldap_first_entry(ipactx->lcontext, res);
|
||||
+ if (!first) {
|
||||
+ kerr = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ in_gtpol_exists = true;
|
||||
+
|
||||
+ ec = ipadb_ldap_attr_to_int(ipactx->lcontext, first, "krbticketflags",
|
||||
+ &ldap_tktflags);
|
||||
+ if (0 == ec && tktflags) {
|
||||
+ *tktflags |= (krb5_flags)ldap_tktflags;
|
||||
+ }
|
||||
+
|
||||
+ kerr = 0;
|
||||
+
|
||||
+end:
|
||||
+ if (gtpol_exists)
|
||||
+ *gtpol_exists = in_gtpol_exists;
|
||||
+
|
||||
+ ldap_msgfree(res);
|
||||
+ free(policy_dn);
|
||||
+ return kerr;
|
||||
}
|
||||
|
||||
static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
@@ -1280,6 +1408,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
char *policy_dn = NULL;
|
||||
LDAPMessage *res = NULL;
|
||||
LDAPMessage *first;
|
||||
+ bool final_tktflags, has_local_tktpolicy = true;
|
||||
int result;
|
||||
int ret;
|
||||
|
||||
@@ -1288,12 +1417,18 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
return KRB5_KDB_DBNOTINITED;
|
||||
}
|
||||
|
||||
+ kerr = are_final_tktflags(ipactx, entry, &final_tktflags);
|
||||
+ if (kerr)
|
||||
+ goto done;
|
||||
+
|
||||
ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
|
||||
"krbticketpolicyreference", &policy_dn);
|
||||
switch (ret) {
|
||||
case 0:
|
||||
break;
|
||||
case ENOENT:
|
||||
+ /* If no principal ticket policy, fallback to the global one. */
|
||||
+ has_local_tktpolicy = false;
|
||||
ret = asprintf(&policy_dn, "cn=%s,cn=kerberos,%s",
|
||||
ipactx->realm, ipactx->base);
|
||||
if (ret == -1) {
|
||||
@@ -1337,12 +1472,13 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
}
|
||||
}
|
||||
if (polmask & TKTFLAGS_BIT) {
|
||||
- ret = ipadb_ldap_attr_to_int(ipactx->lcontext, first,
|
||||
- "krbticketflags", &result);
|
||||
- if (ret == 0) {
|
||||
- entry->attributes |= result;
|
||||
- } else {
|
||||
- entry->attributes |= maybe_require_preauth(ipactx, entry);
|
||||
+ /* If global ticket policy is being applied, set flags only if
|
||||
+ * user principal ticket flags are not final. */
|
||||
+ if (has_local_tktpolicy || !final_tktflags) {
|
||||
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, first,
|
||||
+ "krbticketflags", &result);
|
||||
+ if (ret == 0)
|
||||
+ entry->attributes |= result;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1366,13 +1502,27 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext,
|
||||
if (polmask & MAXRENEWABLEAGE_BIT) {
|
||||
entry->max_renewable_life = 604800;
|
||||
}
|
||||
- if (polmask & TKTFLAGS_BIT) {
|
||||
- entry->attributes |= maybe_require_preauth(ipactx, entry);
|
||||
- }
|
||||
|
||||
kerr = 0;
|
||||
}
|
||||
|
||||
+ if (polmask & TKTFLAGS_BIT) {
|
||||
+ /* If the principal ticket flags were applied, then flags from the
|
||||
+ * global ticket policy has to be applied atop of them if user principal
|
||||
+ * ticket flags are not final. */
|
||||
+ if (has_local_tktpolicy && !final_tktflags) {
|
||||
+ kerr = add_global_ticket_policy_flags(ipactx, NULL,
|
||||
+ &entry->attributes);
|
||||
+ if (kerr)
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
+ /* Virtual static ticket flags are set regardless of database content */
|
||||
+ kerr = add_virtual_static_tktflags(ipactx, entry, &entry->attributes);
|
||||
+ if (kerr)
|
||||
+ goto done;
|
||||
+ }
|
||||
+
|
||||
done:
|
||||
ldap_msgfree(res);
|
||||
free(policy_dn);
|
||||
@@ -2275,6 +2425,85 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
|
||||
return ret;
|
||||
}
|
||||
|
||||
+static krb5_error_code
|
||||
+update_tktflags(krb5_context kcontext, struct ipadb_mods *imods,
|
||||
+ krb5_db_entry *entry, int mod_op)
|
||||
+{
|
||||
+ krb5_error_code kerr;
|
||||
+ struct ipadb_context *ipactx;
|
||||
+ struct ipadb_e_data *ied;
|
||||
+ bool final_tktflags;
|
||||
+ krb5_flags tktflags_mask;
|
||||
+ int tktflags;
|
||||
+
|
||||
+ kerr = ipadb_get_edata(entry, &ied);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ ipactx = ipadb_get_context(kcontext);
|
||||
+ if (!ipactx) {
|
||||
+ kerr = KRB5_KDB_DBNOTINITED;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ kerr = get_virtual_static_tktflags_mask(ipactx, entry, &tktflags_mask);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ kerr = are_final_tktflags(ipactx, entry, &final_tktflags);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ /* Flags from the global ticket policy are filtered out only if the user
|
||||
+ * principal flags are not final. */
|
||||
+ if (!final_tktflags) {
|
||||
+ krb5_flags gtpol_tktflags = 0;
|
||||
+
|
||||
+ kerr = add_global_ticket_policy_flags(ipactx, NULL, >pol_tktflags);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ tktflags_mask &= ~gtpol_tktflags;
|
||||
+ }
|
||||
+
|
||||
+ tktflags = (int)(entry->attributes & tktflags_mask);
|
||||
+
|
||||
+ if (LDAP_MOD_REPLACE == mod_op && !ied->has_tktpolaux) {
|
||||
+ if (0 == tktflags) {
|
||||
+ /* No point initializing principal ticket policy if there are no
|
||||
+ * flags left after filtering out virtual and global ticket policy
|
||||
+ * ones. */
|
||||
+ kerr = 0;
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ /* if the object does not have the krbTicketPolicyAux class
|
||||
+ * we need to add it or this will fail, only for modifications.
|
||||
+ * We always add this objectclass by default when doing an add
|
||||
+ * from scratch. */
|
||||
+ kerr = ipadb_get_ldap_mod_str(imods, "objectclass",
|
||||
+ "krbTicketPolicyAux", LDAP_MOD_ADD);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+ kerr = ipadb_get_ldap_mod_int(imods, "krbTicketFlags", tktflags, mod_op);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+
|
||||
+ /* If there are no custom ticket flags set in the principal, remove the
|
||||
+ * "krbTicketFlags" attribute. */
|
||||
+ if (0 == tktflags) {
|
||||
+ kerr = ipadb_get_ldap_mod_int(imods, "krbTicketFlags", tktflags,
|
||||
+ LDAP_MOD_DELETE);
|
||||
+ if (kerr)
|
||||
+ goto end;
|
||||
+ }
|
||||
+
|
||||
+end:
|
||||
+ return kerr;
|
||||
+}
|
||||
+
|
||||
static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
|
||||
struct ipadb_mods *imods,
|
||||
krb5_db_entry *entry,
|
||||
@@ -2350,36 +2579,9 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext,
|
||||
|
||||
/* KADM5_ATTRIBUTES */
|
||||
if (entry->mask & KMASK_ATTRIBUTES) {
|
||||
- /* if the object does not have the krbTicketPolicyAux class
|
||||
- * we need to add it or this will fail, only for modifications.
|
||||
- * We always add this objectclass by default when doing an add
|
||||
- * from scratch. */
|
||||
- if ((mod_op == LDAP_MOD_REPLACE) && entry->e_data) {
|
||||
- struct ipadb_e_data *ied;
|
||||
-
|
||||
- ied = (struct ipadb_e_data *)entry->e_data;
|
||||
- if (ied->magic != IPA_E_DATA_MAGIC) {
|
||||
- kerr = EINVAL;
|
||||
- goto done;
|
||||
- }
|
||||
-
|
||||
- if (!ied->has_tktpolaux) {
|
||||
- kerr = ipadb_get_ldap_mod_str(imods, "objectclass",
|
||||
- "krbTicketPolicyAux",
|
||||
- LDAP_MOD_ADD);
|
||||
- if (kerr) {
|
||||
- goto done;
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-
|
||||
- kerr = ipadb_get_ldap_mod_int(imods,
|
||||
- "krbTicketFlags",
|
||||
- (int)entry->attributes,
|
||||
- mod_op);
|
||||
- if (kerr) {
|
||||
+ kerr = update_tktflags(kcontext, imods, entry, mod_op);
|
||||
+ if (kerr)
|
||||
goto done;
|
||||
- }
|
||||
}
|
||||
|
||||
/* KADM5_MAX_LIFE */
|
||||
diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c
|
||||
index 1ba6d25ee..2e663c506 100644
|
||||
--- a/util/ipa_krb5.c
|
||||
+++ b/util/ipa_krb5.c
|
||||
@@ -38,6 +38,12 @@ const char *ipapwd_password_max_len_errmsg = \
|
||||
TOSTR(IPAPWD_PASSWORD_MAX_LEN) \
|
||||
" chars)!";
|
||||
|
||||
+/* Case-insensitive string values to by parsed as boolean true */
|
||||
+static const char *const conf_yes[] = {
|
||||
+ "y", "yes", "true", "t", "1", "on",
|
||||
+ NULL,
|
||||
+};
|
||||
+
|
||||
/* Salt types */
|
||||
#define KRB5P_SALT_SIZE 16
|
||||
|
||||
@@ -1237,3 +1243,15 @@ done:
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+bool ipa_krb5_parse_bool(const char *str)
|
||||
+{
|
||||
+ const char *const *p;
|
||||
+
|
||||
+ for (p = conf_yes; *p; p++) {
|
||||
+ if (!strcasecmp(*p, str))
|
||||
+ return true;
|
||||
+ }
|
||||
+
|
||||
+ return false;
|
||||
+}
|
||||
diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h
|
||||
index 7d2ebae98..d0280940a 100644
|
||||
--- a/util/ipa_krb5.h
|
||||
+++ b/util/ipa_krb5.h
|
||||
@@ -174,3 +174,7 @@ static inline bool
|
||||
krb5_ts_after(krb5_timestamp a, krb5_timestamp b) {
|
||||
return (uint32_t)a > (uint32_t)b;
|
||||
}
|
||||
+
|
||||
+/* Implement boolean string parsing function from MIT krb5:
|
||||
+ * src/lib/krb5/krb/libdef_parse.c:_krb5_conf_boolean() */
|
||||
+bool ipa_krb5_parse_bool(const char *str);
|
||||
--
|
||||
2.44.0
|
||||
|
||||
|
|
@ -81,8 +81,7 @@
|
|||
|
||||
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
||||
%global httpd_version 2.4.37-21
|
||||
# Fix for RHEL-25649
|
||||
%global bind_version 9.11.36-14
|
||||
%global bind_version 9.11.20-6
|
||||
|
||||
%else
|
||||
# Fedora
|
||||
|
|
@ -190,7 +189,7 @@
|
|||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 10%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
|
|
@ -231,12 +230,6 @@ Patch0019: 0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
|
|||
Patch0020: 0020-Vault-improve-vault-server-archival-retrieval-calls-.patch
|
||||
Patch0021: 0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch
|
||||
Patch0022: 0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
|
||||
Patch0023: 0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch
|
||||
Patch0024: 0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch
|
||||
Patch0025: 0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch
|
||||
Patch0026: 0026-backport-test-fixes_rhel#29908.patch
|
||||
Patch0027: 0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch
|
||||
Patch0028: 0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch
|
||||
%if 0%{?rhel} >= 8
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||
|
|
@ -1752,29 +1745,6 @@ fi
|
|||
%endif
|
||||
|
||||
%changelog
|
||||
* Tue Apr 30 2024 Julien Rische <jrische@redhat.com> - 4.9.13-10
|
||||
- kdb: apply combinatorial logic for ticket flags (CVE-2024-3183)
|
||||
Resolves: RHEL-29927
|
||||
- kdb: fix vulnerability in GCD rules handling (CVE-2024-2698)
|
||||
Resolves: RHEL-29692
|
||||
|
||||
* Fri Apr 12 2024 Rafael Jeffman <rjeffman@redhat.com> - 9.4.13-9
|
||||
- dcerpc: invalidate forest trust intfo cache when filtering out realm domains
|
||||
Resolves: RHEL-28559
|
||||
- Backport latests test fixes in python3-tests
|
||||
ipatests: add xfail for autoprivate group test with override
|
||||
ipatests: remove xfail thanks to sssd 2.9.4
|
||||
ipatests: adapt for new automembership fixup behavior
|
||||
ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases
|
||||
test_xmlrpc: adopt to automember plugin message changes in 389-ds
|
||||
Resolves: RHEL-29908
|
||||
|
||||
* Thu Mar 07 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-8
|
||||
- rpcserver: validate Kerberos principal name before running kinit
|
||||
Resolves: RHEL-26153
|
||||
- Vault: add additional fallback to RSA-OAEP wrapping algo
|
||||
Resolves: RHEL-28259
|
||||
|
||||
* Tue Feb 20 2024 Julien Rische <jrische@redhat.com> - 4.9.13-7
|
||||
- ipa-kdb: Fix double free in ipadb_reinit_mspac()
|
||||
Resolves: RHEL-25742
|
||||
|
|
|
|||
Loading…
Reference in New Issue