#7427 User Administrator doesn't have enough privileges to edit homeDirectory attribute
Closed: fixed 5 years ago Opened 6 years ago by jenstimmerman.

Request for enhancement

User Administrator can add users with a given homedir, and can delete users, but the role doesn't allow you to modify the homedir.

Steps to Reproduce

kinit admin
ipa user-add user_admin --first=first --last=last --random --homedir=/home/useradmin
ipa role-add-member --users=user_admin "User Administrator"
kdestroy
kinit user_admin

Actual behavior

ipa user-mod user_admin --homedir=/tmp
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'homeDirectory' attribute of entry 'uid=user_admin,cn=users,cn=accounts,dc=domain,dc=example,dc=com'.

Expected behavior

-------------------------
Modified user "user_admin,"
-------------------------
  User login: user_admin,
  First name: first
  Last name: last
  Home directory: /tmp
  Login shell: /bin/sh
  Principal name: user_admin@DOMAIN.EXAMPLE.COM
  Principal alias:user_admin@DOMAIN.EXAMPLE.COM
  Email address: user_admin@example.com
  UID: 1850000003
  GID: 1850000003
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Roles: User Administrator
  Kerberos keys available: True

Version/Release/Distribution

$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server
package freeipa-server is not installed
package freeipa-client is not installed
ipa-server-4.5.0-22.el7.centos.x86_64
ipa-client-4.5.0-22.el7.centos.x86_64
389-ds-base-1.3.6.1-26.el7_4.x86_64
pki-ca-10.4.1-17.el7_4.noarch
krb5-server-1.15.1-8.el7.x86_64


The "User Administrator" role grants the "User Administrators" privilege, which contains the permission "System: Modify Users".

"System: Modify users" allows to write the attributes that a user would be allowed to modify on his own entry + departmentnumber employeenumber mail mepmanagedentry objectclass preferredlanguage userclass, but does not allow to write homedirectory. Need to check if this was intended or an error.

A user is definitely should not be allowed to change his/her own home directory as this can lead to a trivial way of data leaking for other users.

"System: Modify users" is not used for a self-service purposes, though. Below are the ACIs that define selfservice access controls:

nstall/share/default-aci.ldif:aci: (targetattr = "userpassword || krbprincipalkey || sambalmpassword || sambantpassword")(version 3.0; acl "selfservice:Self can write own password"; allow (write) userdn="ldap:///self";)
install/share/default-aci.ldif:aci: (targetattr = "givenname || sn || cn || displayname || title || initials || loginshell || gecos || homephone || mobile || pager || facsimiletelephonenumber || telephonenumber || street || roomnumber || l || st || postalcode || manager || secretary || description || carlicense || labeleduri || inetuserhttpurl || seealso || employeetype  || businesscategory || ou")(version 3.0;acl "selfservice:User Self service";allow (write) userdn = "ldap:///self";)
install/share/default-aci.ldif:aci: (targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)
install/share/default-aci.ldif:aci: (targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
install/share/default-aci.ldif:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)
install/share/default-aci.ldif:aci: (targetattr="usercertificate || krblastpwdchange || description || l || nshostlocation || nshardwareplatform || nsosversion")(version 3.0; acl "Hosts can modify their own certs and keytabs"; allow(write) userdn = "ldap:///self";)
install/share/default-aci.ldif:aci: (targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)
install/updates/20-aci.update:add:aci:(targetattr = "ipasshpubkey")(version 3.0;acl "selfservice:Users can manage their own SSH public keys";allow (write) userdn = "ldap:///self";)
install/updates/20-aci.update:add:aci:(targetattr="ipasshpubkey")(version 3.0; acl "Hosts can modify their own SSH public keys"; allow(write) userdn = "ldap:///self";)
install/updates/20-aci.update:add:aci: (targetattr="ipaProtectedOperation;write_keys")(version 3.0; acl "Entities are allowed to rekey themselves"; allow(write) userdn="ldap:///self";)
install/updates/20-aci.update:add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can manage their own X.509 certificates";allow (write) userdn = "ldap:///self";)
install/updates/73-certmap.update:add:aci: (targetattr = "ipacertmapdata")(targattrfilters="add=objectclass:(objectclass=ipacertmapobject)")(version 3.0;acl "selfservice:Users can manage their own X.509 certificate identity mappings";allow (write) userdn = "ldap:///self";)

there is definitely no homeDirectory in any of writable ACIs for non-admins. I think we can extend 'System: Modify Users' to include it.

I would argue in favour of the extension, because with the current rights a "User Administrator" can remove a user and add the user again with a different homeDirectory, effectively getting the same result, but in a roundabout way.

Metadata Update from @stlaz:
- Issue priority set to: important
- Issue set to the milestone: FreeIPA 4.5.5

5 years ago

Metadata Update from @stlaz:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/1912

5 years ago

master:

  • a885f07 Allow user administrator to change user homedir

Metadata Update from @stlaz:
- Issue assigned to stlaz

5 years ago

ipa-4-6:

  • 3a101ef Allow user administrator to change user homedir

ipa-4-5:

  • e10a270 Allow user administrator to change user homedir

Metadata Update from @stlaz:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

5 years ago

Login to comment on this ticket.

Metadata