Re: (ITS#3472) return code should be 32 when no access to object

[Pierangelo Masarati <ando@sys-net.it>]

Kurt D. Zeilenga wrote:

> However, "disclose on error" (disclose) and
> "don't disclose on error" (none) can be implemented now in
> backends.
To clarify: noSuchObject should be returned whenever (and whatever) 
access to "entry" is required if "disclose" is not granted.  Which means:
- when adding an entry, if no disclose is granted to the entry being added;
- when deleting an entry, if no disclose is granted to the entry being 
deleted;
- when renaming an entry, if no disclose is granted to the entry being 
renamed;
- when searching, but how?  If the scope is "base", if no disclose is 
granted to the searchBase; I guess it would be appropriate to always 
return noSuchObject if no disclose is avalable for the searchBase, 
otherwise an attacker could circumvent the check by searching for 
onelevel or subtree while checkig for the existence of the baseObject;
- when accessing a referral, if no disclose is granted to the entry 
containing the referralObject.

I'd also send noSuchObject if disclose is not granted to the "children" 
attribute of parents whenever required (i.e. add, delete, rename).

Another comment: should "disclose" be also granted for each operation to 
succeed, or should it be checked only if the required access is not 
available, to decide what error to return?  In case, I vote for the latter.

Note that since access to the entry pseudo-attribute is already checked, 
the extra check for disclose can be easily implemented by using 
access_allowed_mask(), which also returns the complete access mask and 
can be used to check if disclose is granted in case the requested 
privilege is not granted.

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497