Bug 24457 – Prevent deleting critical system objects

Bug 24457 - Prevent deleting critical system objects


Summary:	Prevent deleting critical system objects

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	UMC - Domain management (Generic)
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P2 enhancement with 2 votes (vote)
Target Milestone:	---
Assigned To:	UMC maintainers
QA Contact:

URL:
Keywords:

Duplicates:	33568 40858 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-11-08 22:15 CET by Stefan Gohmann
Modified:	2019-01-03 07:19 CET (History)
CC List:	7 users (show)

See Also:	40763
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.114
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2018061121000851
Bug group (optional):	Usability
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Gohmann

2011-11-08 22:15:10 CET

Wir sollten das Löschen von kritischen Systemobjekten verhindern, beispielsweise cn=default containers oder diverse cn=univention, Objekte oder cn=admin, uid=Administrator usw.

Im AD gibt es dazu das Attribut isCriticalSystem Object.

Comment 1 Alexander Kläser

2012-02-01 16:51:29 CET

Ggf. kann es auch notwendig sein, eine Eigenschaft wie bspw. isSingleton für ein UDM-Modul einzuführen, damit nur ein Objekt dieses Typs existieren kann.

Comment 2 Alexander Kläser

2012-06-01 16:59:09 CEST

Dies kann auch auf UCR-Variablen zutreffen.

Comment 3 Alexander Kläser

2013-07-19 12:10:21 CEST

Zusätzliche Keywords: critical system object

Comment 4 Alexander Kläser

2013-07-19 12:11:14 CEST

See also Bug 31042

Comment 5 Alexander Kläser

2013-07-19 17:03:12 CEST

*** Bug 31042 has been marked as a duplicate of this bug. ***

Comment 6 Alexander Kläser

2013-11-26 11:22:31 CET

See also Bug 33568: Warning before removing dc master.

Comment 7 Philipp Hahn

2014-04-07 10:14:55 CEST

+1

Comment 8 Alexander Kläser

2016-04-14 13:28:13 CEST

*** Bug 40858 has been marked as a duplicate of this bug. ***

Comment 9 Alexander Kläser

2016-04-14 13:28:48 CEST

From Bug 40858:
> Bug 31167 / Bug 37654 introduced the objectFlag / univentionObjectFlag
> attribute supporting the values "hidden" and "functional". As originally
> proposed by Sönke, we should also support "system" and make UDM protect
> object attributed as such to avoid accidental deletion or renaming.
> 
> Bug 32871 added the "hidden" flag to a couple of builtin user and group
> accounts.
> 
> For example for the krbtgt account (Bug 40763) and the dns-service accounts
> the write protection would be useful. The S4-Connector could possibly map
> this attribute value to the attribute isCriticalSystemObject: TRUE which is
> used in Active Directory.

Comment 10 Florian Best

2017-02-10 13:39:59 CET

*** Bug 33568 has been marked as a duplicate of this bug. ***

Comment 11 Arvid Requate

2018-06-21 09:21:45 CEST

Seen at Ticket #2018061121000851:

udm users/user modify --dn "uid=dns-$(hostname),cn=users,$(ucr get ldap/base)" \
                      --set username=newname

After that dynamic DNS updates are impossible and the "newname" account owns the service principal.

Comment 12 Daniel Tröder

2018-06-21 12:42:24 CEST

I suggest to set the "hidden" flag on all user accounts that are only used internally, like:
- dns-<hostname>
- http-proxy-<hostname>
- krbtgt

Comment 13 Arvid Requate

2018-06-21 22:16:39 CEST

Yes, Bug 40763 is connected via "see also".

Comment 14 Stefan Gohmann

2019-01-03 07:19:58 CET

This issue has been filled against UCS 4.1. The maintenance with bug and security fixes for UCS 4.1 has ended on 5st of April 2018.

Customers still on UCS 4.1 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.