freeipa

Clone
Source Code
GIT

#2271 Administrative Roles given the permission to change a user password should not be able to change user's passwords that are in the Administrators Group
Closed: Fixed None Opened 12 years ago by dpal.

Closed: Fixed
Reopen Issue

https://bugzilla.redhat.com/show_bug.cgi?id=773759

Description of problem:
With IPA and delegated administration, at this time, there is no concept of
"scoping" those permissions.  However, the permission "Change a user passwd",
needs to by default exclude users in the Administrators group ... or any help
desk or User admin can change the administrator's password without being
prompted for the existing password.


Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Add a new user and assign the user a password
2. Assign the new user the helpdesk role that contains "Change a user password"
permission
3. kinit as the user
4. change the admin user's password
   ipa passwd admin

Actual results:
help desk admin can change passwords of users in Administrators group

Expected results:
Denied being able to change the password

Additional info:

master: ffd3950[[BR]]
ipa-2-2: 6c222bd

Metadata Update from @dpal:
- Issue assigned to rcritten
- Issue set to the milestone: FreeIPA 2.2 Core Effort - 2012/02
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
IPA
2416
1
None
None
None
None
https://bugzilla.redhat.com/show_bug.cgi?id=773759
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.