Re: [ldapext] RFC2307, netgroups, DBIS

Mark R Bannister <dbis@proseconsulting.co.uk> Wed, 11 February 2015 11:56 UTC

Return-Path: <dbis@proseconsulting.co.uk>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B716C1A885E for <ldapext@ietfa.amsl.com>; Wed, 11 Feb 2015 03:56:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.1
X-Spam-Level: *
X-Spam-Status: No, score=1.1 tagged_above=-999 required=5 tests=[BAYES_50=0.8, MIME_8BIT_HEADER=0.3] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FUkPzJf8TtqR for <ldapext@ietfa.amsl.com>; Wed, 11 Feb 2015 03:56:50 -0800 (PST)
Received: from mailex.mailcore.me (mailex.mailcore.me [94.136.40.64]) by ietfa.amsl.com (Postfix) with ESMTP id 1E4D31A00EF for <ldapext@ietf.org>; Wed, 11 Feb 2015 03:56:50 -0800 (PST)
Received: from host86-178-119-74.range86-178.btcentralplus.com ([86.178.119.74] helo=[192.168.1.67]) by mail5.atlas.pipex.net with esmtpa (Exim 4.71) (envelope-from <dbis@proseconsulting.co.uk>) id 1YLVuS-0004NN-EV; Wed, 11 Feb 2015 11:56:48 +0000
Message-ID: <54DB437C.4050501@proseconsulting.co.uk>
Date: Wed, 11 Feb 2015 11:56:44 +0000
From: Mark R Bannister <dbis@proseconsulting.co.uk>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.4.0
MIME-Version: 1.0
To: =?UTF-8?B?TWljaGFlbCBTdHLDtmRlcg==?= <michael@stroeder.com>, ldapext@ietf.org
References: <etPan.54c553b0.19e21bb2.1f2@lpm.local> <54C77E7A.6010506@proseconsulting.co.uk> <54C7B32A.7050709@stroeder.com> <54C7FA23.7000101@proseconsulting.co.uk> <54C80DB9.10901@stroeder.com> <54C81EBD.3020804@proseconsulting.co.uk> <54C921AB.1090309@stroeder.com> <54CEADBC.5070902@proseconsulting.co.uk> <54CF4F66.5000001@stroeder.com> <54D291ED.1080803@proseconsulting.co.uk> <54D2A608.6050907@stroeder.com>
In-Reply-To: <54D2A608.6050907@stroeder.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Mailcore-Auth: 12040446
X-Mailcore-Domain: 1286164
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/_5dvtYudwgcyYXH8lFX_YBdFV0o>
Subject: Re: [ldapext] RFC2307, netgroups, DBIS
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 11:56:53 -0000

On 04/02/2015 23:06, Michael Ströder wrote:
> Mark R Bannister wrote:
>> michael@stroeder.com wrote:
>>> Mark R Bannister wrote:
>>>> Agreed, great for access control.  But I don't see how that will work for the
>>>> other netgroup use-cases.
>>> Which particular netgroup use-cases do you see?
>>> One example is sufficient.
>> Generically, application roles.  A specific example: sudo, where sudo rules
>> are enabled for users based on netgroup membership.  The LDAP server does not
>> know the user requesting sudo access, only the client system knows that, so
>> server-side ACLs are not going to help.
> The server only sees 'sudoRole' entries assigned as visible for its particular
> server/host/service group(s). Which particular command a user can execute is
> indeed subject to fine-grained control by sudo on the client (based on
> attribute 'sudoUser' which with my approach is restricted to only referencing
> user groups).

So you've come up with a point solution for 'sudo' that would replace 
the need for sudo to use
netgroups, because you don't like netgroups.  Great for sudo, perhaps, 
but netgroups are of
generic use to multiple applications, whereas 'sudoRole' and 'sudoUser' 
are specific to sudo
only.  I don't think it's a great idea to replace a solution of generic 
applicability with one that
addresses the need of one specific use-case only.

>> I do need to give a second example, because the first is specific to users.
>> Here is one specific to hosts: NFS, where an NFS server might grant read-only
>> access to every host on the network except for those that are members of a
>> specific netgroup, which get read-write access.  The NFS server needs to know
>> when a client request comes in whether this host is a member of the netgroup
>> that grants read-write access or not, and this cannot be implemented by
>> server-side ACLs, because only the NFS server knows the identity of the client
>> requesting access to the fileshare.
> In my model such a NFS client host would be also simply an authenticated
> (system) user and member of user groups. The NFS server only sees user groups
> assigned as visible for its particular server/host/service group. And
> furthermore it only sees the members of those user groups (NFS clients in this
> example).

I'm not the world's biggest fan of "service accounts", as users should 
be users in my mind, not
systems, but they're prevalent everywhere and I'm not going to solve 
that one.  However,
replacing another example of where netgroups fit nicely with one that 
requires every NFS client
to have its own authenticated user account is not practical in an 
enterprise environment with
80,000 user accounts already and 60,000 hosts.

NFSv4 has already solved the NFS authentication problem, and that 
requires nothing more
than the user who attempts to access the files having a valid Kerberos 
ticket.

>
>> In the deployments I see, typically every user can login to every host, and
>> any application could run anywhere, therefore any compromised machine will of
>> course yield all NSS data.
> Yes. But not with my approach.

Why not?  If everyone can login everywhere, your approach solves 
nothing?  It just adds an extra
layer of complexity and an extra hurdle to those attempting to 
troubleshoot issues.

>
>> However, the NSS data isn't particularly sensitive anyway,
> I disagree.

If everyone can login everywhere, what NSS data is sensitive?

>
>> and quite often the LDAP directories are open for anyone with a network
>> device to query over port 389 anyway,
> Yes in general, but not with my approach. ;-}

Yes but I'm trying to see how your approach can be made applicable for 
all, I don't see how it
could be put out for general use, and therefore I don't see how it can 
be compared with DBIS
or RFC2307, both of which are designed for wide adoption.

>
>> so I haven't worked in an organisation yet where applying server-side ACLs
>> to NSS maps would actually be of any practical use.
> Well, this system is in production use.  :-)

So is a lot of software, good and bad.

>
>> What was the use-case you saw for it?
> Role separation with separate credentials (especially passwords for sudo
> access), and paranoid protection of information I consider sensitive because
> it could be used to plan next steps (e.g. social engineering).

So what if I login one of your hosts and type 'getent passwd'.  What 
will I see?  Enough data
to do some social engineering?

> And furthermore you can keep the client configuration and map evaluation very
> simple because the visibility of users and user groups is constrained by
> access control based on server/host/service group membership of the NSS client.

At the cost of added complexity, a false sense of security unless you 
are very careful how
you design who can login to which hosts, and at best you've just shifted 
the target point
for hackers to the LDAP servers instead.

Best regards,
Mark.