Re: [ldapext] RFC2307, netgroups, DBIS

Mark R Bannister <dbis@proseconsulting.co.uk> Wed, 04 February 2015 21:41 UTC

Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED8D01A8925 for <ldapext@ietfa.amsl.com>; Wed, 4 Feb 2015 13:41:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Fmo7VevEgEHj for <ldapext@ietfa.amsl.com>; Wed, 4 Feb 2015 13:41:09 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.61]) by ietfa.amsl.com (Postfix) with ESMTP id 5FABA1A891E for <ldapext@ietf.org>; Wed, 4 Feb 2015 13:41:09 -0800 (PST)
Received: from host86-178-119-74.range86-178.btcentralplus.com ([86.178.119.74] helo=[192.168.1.67]) by mail11.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1YJ7h5-0000gm-D4; Wed, 04 Feb 2015 21:41:07 +0000
Message-ID: <54D291ED.1080803@proseconsulting.co.uk>
Date: Wed, 04 Feb 2015 21:41:01 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: "michael-catchall@mail.stroeder.local (POP3)" <michael@stroeder.com>, ldapext@ietf.org
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <54C77E7A.6010506@proseconsulting.co.uk> <54C7B32A.7050709@stroeder.com> <54C7FA23.7000101@proseconsulting.co.uk> <54C80DB9.10901@stroeder.com> <54C81EBD.3020804@proseconsulting.co.uk> <54C921AB.1090309@stroeder.com> <54CEADBC.5070902@proseconsulting.co.uk> <54CF4F66.5000001@stroeder.com>
In-Reply-To: <54CF4F66.5000001@stroeder.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/XQMf_cuF2S0_cY3D9BBifCsxx1Y>
Subject: Re: [ldapext] RFC2307, netgroups, DBIS
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 21:41:12 -0000

On 02/02/2015 10:20, michael-catchall@mail.stroeder.local (POP3) wrote:
> (Changed the subject.)
>
> Mark R Bannister wrote:
>> On 28/01/2015 17:51, Michael Ströder wrote:
>>>> Rather than attempting to kill off something that is used extensively, and has
>>>> actually proved to be very useful in large UNIX/Linux estates (if a bit
>>>> clunky), I've embraced them, rationalised them, defined them in a neater and
>>>> queryable format, and complemented them with netservices.
>>> I'd avoid them and convert access control rules based on netgroups into
>>> another schema and let the LDAP server's ACL work through the data.
>> Agreed, great for access control.  But I don't see how that will work for the
>> other netgroup use-cases.
> Which particular netgroup use-cases do you see?
> One example is sufficient.

Generically, application roles.  A specific example: sudo, where sudo 
rules are enabled for users based on netgroup membership.  The LDAP 
server does not know the user requesting sudo access, only the client 
system knows that, so server-side ACLs are not going to help.

I do need to give a second example, because the first is specific to 
users.  Here is one specific to hosts: NFS, where an NFS server might 
grant read-only access to every host on the network except for those 
that are members of a specific netgroup, which get read-write access.  
The NFS server needs to know when a client request comes in whether this 
host is a member of the netgroup that grants read-write access or not, 
and this cannot be implemented by server-side ACLs, because only the NFS 
server knows the identity of the client requesting access to the fileshare.

>
>>> My main objective is that not the client system evaluates all the stuff. The
>>> client system should not see data not usable on the system. The client system
>>> acts as a dumb RFC2307(bis) and sudo-ldap client. Of course the client system
>>> still enforces file access permissions etc. locally.
>> I agree with you on that point.  Perhaps I could take a similar approach
>> with DBIS.  I'm interested, today the NSS library on Linux hosts does not
>> have the identity of the requester.  It is quite normal for there to be a
>> service account used in the LDAP bind, or perhaps even an anonymous bind.
> IMO it's ok to use an individual machine identity to request NSS data from the
> LDAP server. But if the machine gets rooted the attacker should not see the
> rest of the NSS data for other server/service groups. So my threat model is
> that the machine is already out of control.

In the deployments I see, typically every user can login to every host, 
and any application could run anywhere, therefore any compromised 
machine will of course yield all NSS data.  However, the NSS data isn't 
particularly sensitive anyway, and quite often the LDAP directories are 
open for anyone with a network device to query over port 389 anyway, so 
I haven't worked in an organisation yet where applying server-side ACLs 
to NSS maps would actually be of any practical use.

What was the use-case you saw for it?

>
>> The LDAP server can then only usefully filter with ACLs data that is
>> restricted to specific hosts, but not to specific users.  So you are only
>> solving half the problem, right?
> Filtering more based on identity of end user on a machine would IMO violate
> POSIX semantics.
> What do others think?
>
> Ciao, Michael.
>
>
I wasn't suggesting that different users get different filtered views of 
the NSS maps.  They're open for all to see.  They should, however, 
continue to be used to determine application rights and roles on a 
client, as they do today, which server-side ACLs cannot replace.

Best regards,
Mark.