[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enforcing attribute ACL on add operations

To: Kurt Zeilenga <Kurt@OpenLDAP.org>
Subject: Re: Enforcing attribute ACL on add operations
From: Howard Chu <hyc@symas.com>
Date: Mon, 29 Sep 2008 12:52:25 -0700
Cc: Emmanuel Dreyfus <manu@netbsd.org>, openldap-devel@OpenLDAP.org
In-reply-to: <C135ED79-E863-4BDC-B8C4-75BFC73E348E@OpenLDAP.org>
References: <1inxt11.cgwyyf6ay10sM%manu@netbsd.org> <C135ED79-E863-4BDC-B8C4-75BFC73E348E@OpenLDAP.org>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.1b1pre) Gecko/20080917130338 SeaMonkey/2.0a1pre

Kurt Zeilenga wrote:

On Sep 27, 2008, at 8:59 AM, Emmanuel Dreyfus wrote:
Hello
Right now, slapd ignore attribute ACL when performing an add
operation.
I note that this is the expected behavior, been so for many, many years.

Yes, but it never really made much sense - it means you can be forbidden from modifying an existing record to contain certain privileged data, but not forbidden from creating records with privileged data. It makes sense to me that your ability to create particular data values should not depend on whether you're creating it for the very first time, or some subsequent time.

(Coming at it from the opposite direction, Delete of course requires you to permit the Delete even if certain attributes are read-only; since every entry contains read-only operational attributes, deletes would be impossible without this provision.)

If you have privilegied users that can add entries, it means that
you can
prevent them from modifying attributes in existing entries, but you
cannot
prevent them from adding an entry with a read-only attribute.

The problem can be interesting with an attribute such as authzTo,
where the
whole access control can be circumvented by any user that can create
an
entry in the tree. IMO this behavior was not intended, but if it was,


It was.   Likewise the behavior of rename.

then it should be clearly documented.


I recall it being noted somewhere in the documents, but likely not as
clear as it should be.  I recall discussing this ACL/authzTo issue
long ago.

Below is a patch that cause attribute ACL to be checked for add
operations.
It is done in the backend, so if it is acceptable, then I will have
to do it
for other backends. I wonder if the modrdn operation shoulnd't be
subject to
the same sanity checks.

Any thought? Does it look right?


I have no opinion as whether this change should be made or not.  I'm
merely providing some background information....

-- Kurt


diff -U2 -r1.174 add.c
--- servers/slapd/back-bdb/add.c        26 Aug 2008 23:45:35
-0000     1.174
+++ servers/slapd/back-bdb/add.c        27 Sep 2008 15:54:58 -0000
@@ -300,4 +300,22 @@
       }

+       /*
+        * Check ACL for attribute write access
+        */
+       if (!acl_check_modlist(op, oe, op->ora_modlist)) {
+               switch( opinfo.boi_err ) {
+               case DB_LOCK_DEADLOCK:
+               case DB_LOCK_NOTGRANTED:
+                       goto retry;
+               }
+
+               Debug( LDAP_DEBUG_TRACE,
+                       LDAP_XSTRING(bdb_add) ": no write access to
attribute\n",
+                       0, 0, 0 );
+               rs->sr_err = LDAP_INSUFFICIENT_ACCESS;
+               rs->sr_text = "no write access to attribute";
+               goto return_results;;
+       }
+
       if ( eid == NOID ) {
               rs->sr_err = bdb_next_id( op->o_bd,&eid );

--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- Enforcing attribute ACL on add operations
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: Enforcing attribute ACL on add operations
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

Prev by Date: Re: Enforcing attribute ACL on add operations
Next by Date: Re: Fwd: RE24 testing
Index(es):
- Chronological
- Thread