#7833 HBAC SVC can be deleted although it is used by a HBAC rule
Opened 4 months ago by cheimes. Modified 4 months ago

Issue

ipa hbacrule-del does not check or warn if removing a HBAC service that is references by a HBAC rule. The removal of a SVC modifies the behavior of the rule. It doesn't look like a security issue, because there is no implicit all match for HBAC rules without any service.

Steps to Reproduce

  1. create hbac service
  2. create hbac rule
  3. add svc to rule
  4. delete svc

Actual behavior

There is no warning / error

Expected behavior

hbacsvc-del should fail

Version/Release/Distribution

freeipa-server-4.7.2-1.fc29.x86_64

Additional info:

# ipa hbacsvc-add demosvc
----------------------------
Added HBAC service "demosvc"
----------------------------
  Service name: demosvc
# ipa hbacrule-add demorule --usercat=all --hostcat=all
--------------------------
Added HBAC rule "demorule"
--------------------------
  Rule name: demorule
  User category: all
  Host category: all
  Enabled: TRUE
# ipa hbacrule-add-service demorule --hbacsvcs=demosvc
  Rule name: demorule
  User category: all
  Host category: all
  Enabled: TRUE
  Services: demosvc
-------------------------
Number of members added 1
-------------------------
# ipa hbacsvc-del demosvc
------------------------------
Deleted HBAC service "demosvc"
------------------------------
# ipa hbacrule-show demorule
  Rule name: demorule
  User category: all
  Host category: all
  Enabled: TRUE
# ipa hbactest --user=admin --host=$(hostname) --service=sshd --rules=demorule
---------------------
Access granted: False
---------------------
  Not matched rules: demorule

Alexander pointed out that sudo rules are probably also affected. I guess hbac services group show the same behavior.

Login to comment on this ticket.

Metadata