ipa hbacrule-del does not check or warn if removing a HBAC service that is references by a HBAC rule. The removal of a SVC modifies the behavior of the rule. It doesn't look like a security issue, because there is no implicit all match for HBAC rules without any service.
ipa hbacrule-del
all
There is no warning / error
hbacsvc-del should fail
freeipa-server-4.7.2-1.fc29.x86_64
# ipa hbacsvc-add demosvc ---------------------------- Added HBAC service "demosvc" ---------------------------- Service name: demosvc # ipa hbacrule-add demorule --usercat=all --hostcat=all -------------------------- Added HBAC rule "demorule" -------------------------- Rule name: demorule User category: all Host category: all Enabled: TRUE # ipa hbacrule-add-service demorule --hbacsvcs=demosvc Rule name: demorule User category: all Host category: all Enabled: TRUE Services: demosvc ------------------------- Number of members added 1 ------------------------- # ipa hbacsvc-del demosvc ------------------------------ Deleted HBAC service "demosvc" ------------------------------ # ipa hbacrule-show demorule Rule name: demorule User category: all Host category: all Enabled: TRUE # ipa hbactest --user=admin --host=$(hostname) --service=sshd --rules=demorule --------------------- Access granted: False --------------------- Not matched rules: demorule
Alexander pointed out that sudo rules are probably also affected. I guess hbac services group show the same behavior.
Login to comment on this ticket.