User Administrator can add users with a given homedir, and can delete users, but the role doesn't allow you to modify the homedir.
kinit admin ipa user-add user_admin --first=first --last=last --random --homedir=/home/useradmin ipa role-add-member --users=user_admin "User Administrator" kdestroy kinit user_admin
ipa user-mod user_admin --homedir=/tmp ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'homeDirectory' attribute of entry 'uid=user_admin,cn=users,cn=accounts,dc=domain,dc=example,dc=com'.
------------------------- Modified user "user_admin," ------------------------- User login: user_admin, First name: first Last name: last Home directory: /tmp Login shell: /bin/sh Principal name: user_admin@DOMAIN.EXAMPLE.COM Principal alias:user_admin@DOMAIN.EXAMPLE.COM Email address: user_admin@example.com UID: 1850000003 GID: 1850000003 Account disabled: False Password: True Member of groups: ipausers Roles: User Administrator Kerberos keys available: True
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server package freeipa-server is not installed package freeipa-client is not installed ipa-server-4.5.0-22.el7.centos.x86_64 ipa-client-4.5.0-22.el7.centos.x86_64 389-ds-base-1.3.6.1-26.el7_4.x86_64 pki-ca-10.4.1-17.el7_4.noarch krb5-server-1.15.1-8.el7.x86_64
The "User Administrator" role grants the "User Administrators" privilege, which contains the permission "System: Modify Users".
"System: Modify users" allows to write the attributes that a user would be allowed to modify on his own entry + departmentnumber employeenumber mail mepmanagedentry objectclass preferredlanguage userclass, but does not allow to write homedirectory. Need to check if this was intended or an error.
A user is definitely should not be allowed to change his/her own home directory as this can lead to a trivial way of data leaking for other users.
"System: Modify users" is not used for a self-service purposes, though. Below are the ACIs that define selfservice access controls:
nstall/share/default-aci.ldif:aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";) install/share/default-aci.ldif:aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";) install/share/default-aci.ldif:aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) install/share/default-aci.ldif:aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) install/share/default-aci.ldif:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";) install/share/default-aci.ldif:aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";) install/share/default-aci.ldif:aci: (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";) install/updates/20-aci.update:add:aci:(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";) install/updates/20-aci.update:add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";) install/updates/20-aci.update:add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";) install/updates/20-aci.update:add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";) install/updates/73-certmap.update:add:aci: (targetattr = "ipacertmapdata")(targattrfilters="add=objectclass:(objectclass=ipacertmapobject)")(version 3.0;acl "selfservice:Users can manage their own X.509 certificate identity mappings";allow (write) userdn = "ldap:///self";)
there is definitely no homeDirectory in any of writable ACIs for non-admins. I think we can extend 'System: Modify Users' to include it.
I would argue in favour of the extension, because with the current rights a "User Administrator" can remove a user and add the user again with a different homeDirectory, effectively getting the same result, but in a roundabout way.
Metadata Update from @stlaz: - Issue priority set to: important - Issue set to the milestone: FreeIPA 4.5.5
Metadata Update from @stlaz: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1912
master:
Metadata Update from @stlaz: - Issue assigned to stlaz
ipa-4-6:
ipa-4-5:
Metadata Update from @stlaz: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.