The FreeIPA team would like to announce FreeIPA 4.6.9 release!
It can be downloaded from http://www.freeipa.org/page/Downloads.
Highlights in 4.6.9
It was found that if an account with a name corresponding to an account local to a system, such as 'root', was created via IPA, such account could access any enrolled machine with that identitity and the local system privileges. This also bypass the absence of explicit HBAC rules.
Since the account can only be created by user administrators in FreeIPA, several changes were done to tighten permissions and prevent creation of 'root' identity by mistake.
root principal alias
The principal "root@REALM" is now a Kerberos principal alias for "admin". This prevent user with "User Administrator" role or "System: Add User" privilege to create an account with "root" principal name.
Modified user permissions
Several user permissions no longer apply to admin users and filter on posixAccount object class. This prevents user managers from modifying admin acounts:
- System: Manage User Certificates
- System: Manage User Principals
- System: Manage User SSH Public Keys
- System: Modify Users
- System: Remove Users
- System: Unlock user
System: Unlock User permission is now restricted because the permission also allows a user manager to lock an admin account.
System: Modify Users is restricted to prevent user managers from changing login shell or notification channels (mail, mobile) of admin accounts.
New user permission
- System: Change Admin User password
This new permission allows manipulation of admin user password fields. By default only the PassSync Service privilege is allowed to modify admin user password fields.
Modified group permissions
Group permissions are now restricted as well. Group admins can no longer modify the admins group and are limited to groups with object class ipausergroup.
- System: Modify Groups
- System: Remove Groups
The permission System: Modify Group Membership was already limited.
Upgrade instructions are available on Upgrade page.
Please provide comments, bugs and other feedback via the freeipa-users mailing list (https://firstname.lastname@example.org/) or #freeipa channel on Freenode.
- #8326 CVE-2020-10747
Detailed changelog since 4.6.8
Alexander Bokovoy (1)
- Become FreeIPA 4.6.9 commit