Would like to set up a "least privilege" admin only capable of managing POSIX groups, not users.
Reading through the docs carefully, but I'm just wondering if anyone else has done this, and if there are any "gotchas" I have to worry about?
Chris Cowan via FreeIPA-users wrote:
Reading through the docs carefully, but I'm just wondering if anyone else has done this, and if there are any "gotchas" I have to worry about?
It depends on what you mean by manage.
There are two privileges for group management by default: Group Administrators and Modify Group membership.
You can create a new role with these two to constrain things.
Off the top of my head there is no default way to prevent management of POSIX vs non-POSIX groups. I'm not entirely sure it's possible.
The general flow is permissions -> privileges -> roles.
So if those two privileges are too wide you may be able to create a new one (or several) restricting to only the permissions you want to allow.
rob
On 17/08/2023 18.31, Chris Cowan via FreeIPA-users wrote:
Reading through the docs carefully, but I'm just wondering if anyone else has done this, and if there are any "gotchas" I have to worry about?
FreeIPA has role-based access control that lets you define fine-grained permissions, privileges, and roles. RBACs can be created in the web UI in the "IPA Server" tab. The system permissions for group management already come with filters for the admins group and some other internal groups.
To create a least privilege admin that can manage POSIX groups, you have to:
- Create two new permissions based on "System: Modify Group" and "System: Modify Group Membership" with an additional extra target filter (objectClass=posixGroup) - Create a new privilege with your two new permissions - Create a role with your new privilege - Assign the role to your least privileged admin user
The user will be able to modify group settings and add/remove members. If you want to include group creation and deletion, you also have to create custom permissions based on "System: Add group" and "System: Remove group".
Christian
Christian,
I want full admin meaning all group management. (CRUD). Add/remove group, change attributes, membership, etc...
Was already aware of the manager members and that I could assign both users or groups. I have been using that and it works as I would expect.
So, I will be needing System:{Add Group, Remove Group, Modify Group, and Modify Group Membership}
This id will be used behind the curtain with service available with a REST API, and serve the needs of a storage service.
I might be missing something here, but if an account can manage all posixGroup objects then he's, from a attacker point of view, as privileged as a member of the admin group, isn't he?
On Thu, Aug 17, 2023 at 9:28 PM Chris Cowan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Christian,
I want full admin meaning all group management. (CRUD). Add/remove group, change attributes, membership, etc...
Was already aware of the manager members and that I could assign both users or groups. I have been using that and it works as I would expect.
So, I will be needing System:{Add Group, Remove Group, Modify Group, and Modify Group Membership}
This id will be used behind the curtain with service available with a REST API, and serve the needs of a storage service. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
I might be missing something here, but if an account can manage all posixGroup objects then he's, from a attacker point of view, as privileged as a member of the admin group, isn't he?
Which is precisely why I created a new role limited to POSIX Groups only. After reading Christian's post, I went in and investigated the existing roles and privileges.
Start with "ipa role-find", and "ipa privilege-find" to get the following: I have 9 here, rather than 8, because it shows the new role I created.
$ ipa role-find --------------- 9 roles matched --------------- Role name: CIFS server
Role name: Enrollment Administrator Description: Enrollment Administrator responsible for client(host) enrollment
Role name: Group_Administrator Description: Responsible for creating Groups only
Role name: helpdesk Description: Helpdesk
Role name: IT Security Specialist Description: IT Security Specialist
Role name: IT Specialist Description: IT Specialist
Role name: Security Architect Description: Security Architect
Role name: Subordinate ID Selfservice User Description: User that can self-request subordiante ids
Role name: User Administrator Description: Responsible for creating Users and Groups ---------------------------- Number of entries returned 9 ---------------------------- $ ipa privilege-find --------------------- 37 privileges matched --------------------- Privilege name: ADTrust Agents Description: System accounts able to access trust information
Privilege name: Automember Readers Description: Read Automember definitions
Privilege name: Automember Task Administrator Description: Automember Task Administrator
Privilege name: Automount Administrators Description: Automount Administrators
Privilege name: CA Administrator Description: CA Administrator
Privilege name: Certificate Administrators Description: Certificate Administrators
Privilege name: Certificate Identity Mapping Administrators Description: Certificate Identity Mapping Administrators
Privilege name: CIFS server privilege
Privilege name: Delegation Administrator Description: Role administration
Privilege name: DNS Administrators Description: DNS Administrators
Privilege name: DNS Servers Description: DNS Servers
Privilege name: External IdP server Administrators Description: External IdP server Administrators
Privilege name: Group Administrators Description: Group Administrators
Privilege name: HBAC Administrator Description: HBAC Administrator
Privilege name: Host Administrators Description: Host Administrators
Privilege name: Host Enrollment Description: Host Enrollment
Privilege name: Host Group Administrators Description: Host Group Administrators
Privilege name: IPA Masters Readers Description: Read list of IPA masters
Privilege name: Kerberos Ticket Policy Readers Description: Read global and per-user Kerberos ticket policy
Privilege name: Modify Group membership Description: Modify Group membership
Privilege name: Modify Users and Reset passwords Description: Modify Users and Reset passwords
Privilege name: Netgroups Administrators Description: Netgroups Administrators
Privilege name: PassSync Service Description: PassSync Service
Privilege name: Password Policy Administrator Description: Password Policy Administrator
Privilege name: Password Policy Readers Description: Read password policies
Privilege name: RBAC Readers Description: Read roles, privileges, permissions and ACIs
Privilege name: Replication Administrators Description: Replication Administrators
Privilege name: SELinux User Map Administrators Description: SELinux User Map Administrators
Privilege name: Service Administrators Description: Service Administrators
Privilege name: Stage User Administrators Description: Stage User Administrators
Privilege name: Stage User Provisioning Description: Stage User Provisioning
Privilege name: Subordinate ID Administrators Description: Subordinate ID Administrators
Privilege name: Subordinate ID Selfservice Users Description: Subordinate ID Selfservice User
Privilege name: Sudo Administrator Description: Sudo Administrator
Privilege name: User Administrators Description: User Administrators
Privilege name: Vault Administrators Description: Vault Administrators
Privilege name: Write IPA Configuration Description: Write IPA Configuration ----------------------------- Number of entries returned 37 -----------------------------
$ ipa role-show "User Administrator" Role name: User Administrator Description: Responsible for creating Users and Groups Privileges: User Administrators, Group Administrators, Stage User Administrators, Subordinate ID Administrators
$ ipa privilege-show "Group Administrators" Privilege name: Group Administrators Description: Group Administrators Permissions: System: Add Groups, System: Modify External Group Membership, System: Modify Group Membership, System: Modify Groups, System: Remove Groups Granting privilege to roles: User Administrator, Group_Administrator
$ ipa role-show Group_Administrator Role name: Group_Administrator Description: Responsible for creating Groups only Member users: group_admin Privileges: Group Administrators ------------------------------------------------------------------------------------------------------------------------------------
I all I needed to do was create a new role "Group_Administrator" with only the Group_Administrator privilege. I then assigned the service id to the role.
It works exactly like I had hoped. It is only able to manipulate group objects. Otherwise, I see something like this
$ ipa user-add test_user First name: test Last name: user ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions.
After re-reading Christian's reply, I was worried it might be able to mess with the private groups.
I just checked, and I can not detach or delete.
So, this will work for my needs
On 19/08/2023 19.18, DFIRob via FreeIPA-users wrote:
I might be missing something here, but if an account can manage all posixGroup objects then he's, from a attacker point of view, as privileged as a member of the admin group, isn't he?
No, they can only add/remove groups and modify group members for all POSIX groups except "admins". The permission "System: Modify Group Membership" and "System: Remove group" prevent any tampering with the admins group. A user with elevated group management permission cannot add or remove members from the admins group no can they delete and re-create the admins group.
There are still scenarios where a custom group combined with custom HBAC and cystom SUDO rules may allow a group membership admin to gain additional permissions. You can prevent it by restricting logins and SUDO access to IPA servers.
Christian
Christian,
Rereading this, I'm wondering if besides the "admin" user and "admins" group if there are any other special users or groups with FreeIPA? From my reading so far, I think the answer is no, but want to be sure.
On 20/09/2023 16.01, Chris Cowan via FreeIPA-users wrote:
Christian,
Rereading this, I'm wondering if besides the "admin" user and "admins" group if there are any other special users or groups with FreeIPA? From my reading so far, I think the answer is no, but want to be sure.
The "ipaservers" host group is also special and has additional checks in place. An IPA client in this host group is privileged to promote itself to an IPA server without additional admin privileges.
Christian
freeipa-users@lists.fedorahosted.org
-
Chris Cowan -
Christian Heimes -
DFIRob -
Rob Crittenden