Hi,\
\
I have recently been evaluating FreeIPA by setting it up on a server with a couple of clients. FreeIPA seems like a very good product. \
\
However, one thing I have noticed is what I would consider a security bug within the WebUI. This bug leaks data to any user who can obtain a Kerberos ticket, by the looks of it this is working as designed, however it should not be this way. \
\
If you login to the WebUI as a standard non-Admin user, you get directed to you're own page, displaying your own details. Up to this point, it's perfectly acceptable. \
\
However, if you then proceed to click "Users", you are provided a full list of users within IPA, and you may click on any one of them and view full details, including address, phone number etc. \
\
This is not good in my opinion and a standard user, should not be able to obtains these details without permission being granted by an administrator. This happens regardless of "Self Service Permissions". If you remove them all, the user is unable to edit them selves, however still fully able to view all other users and their details. \
\
There appears to be no options to disable this "Feature". This should be either off by default, or at least provide an option to disable it in my opinion. \
\
Anyhow, sorry to be a bother, but just thought I'd let you know :-). \
\
Version Information: \
FreeIPA Server 2.2.0 (CentOS 6.3) \
FreeIPA Client 2.2.0 (CentOS 6.3) \
\
How to Test: \
1) Setup FreeIPA Server \
2) Setup FreeIPA Client \
3) Create non-Admin User \
4) Delete all self service permissions \
5) Login as non-Admin User on Client \
6) Direct Firefox to WebUI \
7) Configure Firefox for Kerberos \
8) Type kinit \
9) Refresh WebUI (Should log you in)
10) Where it says "Users > USERNAME" click "Users" link \
11) Click any user, and view their full details \
\
Possible Fixes: \
- Option to disable displaying list of users, and their details to non-Admin users. \