The Identity, Policy and Audit system
CentOS Sources
2017-01-02 53a374936ca448d4897930910a79131c0085a284
import ipa-4.4.0-14.el7_3.1.1
3 files added
1 files deleted
1 files modified
349 ■■■■ changed files
SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch 43 ●●●●● patch | view | raw | blame | history
SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch 192 ●●●●● patch | view | raw | blame | history
SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch 38 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 38 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 38 ●●●●● patch | view | raw | blame | history
SOURCES/0145-certprofile-mod-correctly-authorise-config-update.patch
New file
@@ -0,0 +1,43 @@
From 8de62d5187f54b0e994c160a1d39dbece4615aa5 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale <ftweedal@redhat.com>
Date: Tue, 15 Nov 2016 14:02:54 +1000
Subject: [PATCH] certprofile-mod: correctly authorise config update
Certificate profiles consist of an FreeIPA object, and a
corresponding Dogtag configuration object.  When updating profile
configuration, changes to the Dogtag configuration are not properly
authorised, allowing unprivileged operators to modify (but not
create or delete) profiles.  This could result in issuance of
certificates with fraudulent subject naming information, improper
key usage, or other badness.
Update certprofile-mod to ensure that the operator has permission to
modify FreeIPA certprofile objects before modifying the Dogtag
configuration.
https://fedorahosted.org/freeipa/ticket/6560
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
 ipaserver/plugins/certprofile.py | 5 +++++
 1 file changed, 5 insertions(+)
diff --git a/ipaserver/plugins/certprofile.py b/ipaserver/plugins/certprofile.py
index f4466077484591c8e941027fa8e4897602384f7c..2bd3311e3b729b768188d537bf7f675a0f9346c2 100644
--- a/ipaserver/plugins/certprofile.py
+++ b/ipaserver/plugins/certprofile.py
@@ -310,6 +310,11 @@ class certprofile_mod(LDAPUpdate):
             raise errors.ProtectedEntryError(label='certprofile', key=keys[0],
                 reason=_('Certificate profiles cannot be renamed'))
         if 'file' in options:
+            # ensure operator has permission to update a certprofile
+            if not ldap.can_write(dn, 'ipacertprofilestoreissued'):
+                raise errors.ACIError(info=_(
+                    "Insufficient privilege to modify a certificate profile."))
+
             with self.api.Backend.ra_certprofile as profile_api:
                 profile_api.disable_profile(keys[0])
                 try:
--
2.10.2
SOURCES/0146-password-policy-Add-explicit-default-password-policy.patch
New file
@@ -0,0 +1,192 @@
From 016631a08b67bda3dc996b84061f863e0f5cdc7f Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Thu, 29 Sep 2016 15:59:34 +0200
Subject: [PATCH] password policy: Add explicit default password policy for
 hosts and services
Set explicitly krbPwdPolicyReference attribute to all hosts (entries in
cn=computers,cn=accounts), services (entries in cn=services,cn=accounts) and
Kerberos services (entries in cn=$REALM,cn=kerberos). This is done using DS's
CoS so no attributes are really added.
The default policies effectively disable any enforcement or lockout for hosts
and services. Since hosts and services use keytabs passwords enforcements
doesn't make much sense. Also the lockout policy could be used for easy and
cheap DoS.
https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
---
 install/updates/20-default_password_policy.update | 133 ++++++++++++++++++++++
 install/updates/Makefile.am                       |   1 +
 ipaserver/install/service.py                      |   1 +
 3 files changed, 135 insertions(+)
 create mode 100644 install/updates/20-default_password_policy.update
diff --git a/install/updates/20-default_password_policy.update b/install/updates/20-default_password_policy.update
new file mode 100644
index 0000000000000000000000000000000000000000..b1f9754a98e9c4b9cb8558e96f7195ea87c2f1ce
--- /dev/null
+++ b/install/updates/20-default_password_policy.update
@@ -0,0 +1,133 @@
+# Default password policies for hosts, services and Kerberos services
+# Setting all attributes to zero effectively disables any password policy
+# We can do this because hosts and services uses keytabs instead of passwords
+
+# hosts
+dn: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Host Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# services
+dn: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# kerberos policy container
+# this is necessary to avoid mixing the Kerberos sevice password policy
+# with group-membership based user password policies
+dn: cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Kerberos Service Password Policy
+
+# kerberos services
+dn: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectClass: krbPwdPolicy
+default:objectClass: nsContainer
+default:objectClass: top
+default:cn: Default Kerberos Service Password Policy
+default:krbMinPwdLife: 0
+default:krbPwdMinDiffChars: 0
+default:krbPwdMinLength: 0
+default:krbPwdHistoryLength: 0
+default:krbMaxPwdLife: 0
+default:krbPwdMaxFailure: 0
+default:krbPwdFailureCountInterval: 0
+default:krbPwdLockoutDuration: 0
+
+# default password policies for hosts, services and kerberos services
+# cosPriority is set intentionally to higher number than FreeIPA API allows
+# to set to ensure that these password policies have always lower priority
+# than any defined by user.
+
+# hosts
+dn: cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Host Password Policy,cn=computers,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=computers,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Hosts
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=computers,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# services
+dn: cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Service Password Policy,cn=services,cn=accounts,$SUFFIX
+
+dn: cn=Default Password Policy,cn=services,cn=accounts,$SUFFIX
+default:description: Default Password Policy for Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=services,cn=accounts,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
+
+# kerberos services
+dn: cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: nsContainer
+default:cn: cosTemplates
+
+dn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:objectclass: top
+default:objectclass: cosTemplate
+default:objectclass: extensibleObject
+default:objectclass: krbContainer
+default:cn: Default Password Policy
+default:cosPriority: 10000000000
+default:krbPwdPolicyReference: cn=Default Kerberos Service Password Policy,cn=Kerberos Service Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+
+dn: cn=Default Password Policy,cn=$REALM,cn=kerberos,$SUFFIX
+default:description: Default Password Policy for Kerberos Services
+default:objectClass: top
+default:objectClass: ldapsubentry
+default:objectClass: cosSuperDefinition
+default:objectClass: cosPointerDefinition
+default:cosTemplateDn: cn=Default Password Policy,cn=cosTemplates,cn=$REALM,cn=kerberos,$SUFFIX
+default:cosAttribute: krbPwdPolicyReference default
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 455fd209d171888dc94a7f708dc5fa1743f62bf4..310ae39c3b659cbe897380f572824acb26009574 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -23,6 +23,7 @@ app_DATA =                \
     20-winsync_index.update        \
     20-idoverride_index.update    \
     20-uuid.update  \
+    20-default_password_policy.update \
     21-replicas_container.update    \
     21-ca_renewal_container.update    \
     21-certstore_container.update    \
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 057cd3d4b512513a4e3a8f228dc5f07f31fd84e0..6bb2e76f64ac11abc426c70c645cfb042be474c2 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -252,6 +252,7 @@ class Service(object):
             # There is no service in the wrong location, nothing to do.
             # This can happen when installing a replica
             return None
+        entry.pop('krbpwdpolicyreference', None)  # don't copy virtual attr
         newdn = DN(('krbprincipalname', principal), ('cn', 'services'), ('cn', 'accounts'), self.suffix)
         hostdn = DN(('fqdn', self.fqdn), ('cn', 'computers'), ('cn', 'accounts'), self.suffix)
         self.admin_conn.delete_entry(entry)
--
2.10.2
SOURCES/0147-ipa-kdb-search-for-password-policies-globally.patch
New file
@@ -0,0 +1,38 @@
From a90a67fc7c4ef114e5f5336d868009fd0caa956b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 15 Dec 2016 16:30:00 +0200
Subject: [PATCH] ipa-kdb: search for password policies globally
With the CoS templates now used to create additional password policies
per object type that are placed under the object subtrees, DAL driver
needs to search for the policies in the whole tree.
Individual policies referenced by the krbPwdPolicyReference attribute
are always searched by their full DN and with the base scope. However,
when KDC asks a DAL driver to return a password policy by name, we don't
have any specific base to search. The original code did search by the
realm subtree.
Fixes https://fedorahosted.org/freeipa/ticket/6561
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
---
 daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 076314a12840881a340763ab5693131aaccafec6..0c810af98f7a37b76afc4ca40b29441d9793f12f 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -163,7 +163,7 @@ krb5_error_code ipadb_get_pwd_policy(krb5_context kcontext, char *name,
     }
     kerr = ipadb_simple_search(ipactx,
-                               ipactx->realm_base, LDAP_SCOPE_SUBTREE,
+                               ipactx->base, LDAP_SCOPE_SUBTREE,
                                src_filter, std_pwdpolicy_attrs, &res);
     if (kerr) {
         goto done;
--
2.10.2
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -43,7 +43,7 @@
Name:           ipa
Version:        4.4.0
Release:        14%{?dist}
Release:        14%{?dist}.1.1
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -51,10 +51,10 @@
URL:            http://www.freeipa.org/
Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
#Source1:        header-logo.png
#Source2:        login-screen-background.jpg
#Source3:        login-screen-logo.png
#Source4:        product-name.png
Source1:        header-logo.png
Source2:        login-screen-background.jpg
Source3:        login-screen-logo.png
Source4:        product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -203,6 +203,9 @@
Patch0142:      0142-Fix-missing-file-that-fails-DL1-replica-installation.patch
Patch0143:      0143-trustdomain-del-fix-the-way-how-subdomain-is-searche.patch
Patch0144:      0144-spec-file-bump-minimal-required-version-of-389-ds-ba.patch
Patch0145:      0145-certprofile-mod-correctly-authorise-config-update.patch
Patch0146:      0146-password-policy-Add-explicit-default-password-policy.patch
Patch0147:      0147-ipa-kdb-search-for-password-policies-globally.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -214,7 +217,6 @@
Patch1008:      1008-RCUE.patch
Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
Patch1011:      ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -794,10 +796,10 @@
done
# Red Hat's Identity Management branding
#cp %SOURCE1 install/ui/images/header-logo.png
#cp %SOURCE2 install/ui/images/login-screen-background.jpg
#cp %SOURCE3 install/ui/images/login-screen-logo.png
#cp %SOURCE4 install/ui/images/product-name.png
cp %SOURCE1 install/ui/images/header-logo.png
cp %SOURCE2 install/ui/images/login-screen-background.jpg
cp %SOURCE3 install/ui/images/login-screen-logo.png
cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
@@ -1533,8 +1535,20 @@
%changelog
* Tue Dec 06 2016 CentOS Sources <bugs@centos.org> - 4.4.0-14.el7.centos
- Roll in CentOS Branding
* Fri Dec 16 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1.1
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
  by abusing password policy
  - ipa-kdb: search for password policies globally
- Renamed patches 1011 and 1012 to 0146 and 0145, as they were merged upstream
* Mon Dec 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14.1
- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services
  by abusing password policy
  - password policy: Add explicit default password policy for hosts and
    services
- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in
  certprofile-mod
  - certprofile-mod: correctly authorise config update
* Tue Nov  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-14
- Resolves: #1378353 Replica install fails with old IPA master sometimes during