The FreeIPA team would like to announce FreeIPA 4.6.9 release!
It can be downloaded from http://www.freeipa.org/page/Downloads
== Highlights in 4.6.9 ==
It was found that if an account with a name corresponding to an account
local to a system, such as 'root', was created via IPA, such account could
access any enrolled machine with that identitity and the local system
privileges. This also bypass the absence of explicit HBAC rules.
Since the account can only be created by user administrators in FreeIPA,
several changes were done to tighten permissions and prevent creation of 'root'
identity by mistake.
root principal alias
The principal "root@REALM" is now a Kerberos principal alias for
prevent user with "User Administrator" role or "System: Add User"
create an account with "root" principal name.
Modified user permissions
Several user permissions no longer apply to admin users and filter on
posixAccount object class. This prevents user managers from modifying admin
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
``System: Unlock User`` permission is now restricted because the permission
also allows a user manager to lock an admin account.
``System: Modify Users`` is restricted to prevent user managers from changing
login shell or notification channels (mail, mobile) of admin accounts.
New user permission
- System: Change Admin User password
This new permission allows manipulation of admin user password fields. By
default only the ``PassSync Service`` privilege is allowed to modify admin user
Modified group permissions
Group permissions are now restricted as well. Group admins can no longer modify
the admins group and are limited to groups with object class ``ipausergroup``.
- System: Modify Groups
- System: Remove Groups
The permission ``System: Modify Group Membership`` was already limited.
== Upgrading ==
Upgrade instructions are available on [[Upgrade]] page.
== Feedback ==
Please provide comments, bugs and other feedback via the freeipa-users mailing
or #freeipa channel on Freenode.
== Resolved tickets ==
== Detailed changelog since 4.6.8 ==
=== Alexander Bokovoy (1) ===
* Become FreeIPA 4.6.9
=== Christian Heimes (1) ===
* Prevent local account takeover
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland