OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Development/3963
Full headers

From: ando@sys-net.it
Subject: [development] ACIs design seems incompatible with "disclose" access privilege
Compose comment
Download message
State:
0 replies:
0 followups:

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 23 Aug 2005 13:26:08 GMT
From: ando@sys-net.it
To: openldap-its@OpenLDAP.org
Subject: [development] ACIs design seems incompatible with "disclose" access privilege
Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (131.175.154.56)
Submitted by: ando


ACIs currently don't have any notion of the "disclose" privilege.  In HEAD code,
the character 'd' has been recently allowed in ACI privileges.  However, ACI's
design does not allow to collect the real access a target is granted, so,
although checking for "disclose" access could be possible by means of a direct
request, e.g. calling access_allowed(ACL_DISCLOSE), current code calls
access_allowed_mask(<access>, &mask) to check if <access> is
allowed and
simultaneously get the actual permissions in mask, where the access to
ACL_DISCLOSE is checked by the caller.  ACIs (and possibl the dynacl API) need
be reworked to comply with this usage.

NOTE: in the original draft ACIs are loosely inspired on, 'd' was used for
"delete" permissions; I used 'd' for "dislose" for consistency with the rest of
slapd's access control, since there's no reason to stick with tha expired
document.

p.

Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org