OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Software Bugs/8909
Full headers

From: guilhem@fripost.org
Subject: "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
Compose comment
Download message
State:
0 replies:
3 followups: 1 2 3

Major security issue: yes  no

Notes:

Notification:


Date: Tue, 28 Aug 2018 23:41:41 +0000
From: guilhem@fripost.org
To: openldap-its@OpenLDAP.org
Subject: "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
Full_Name: Guilhem Moulin
Version: 2.4.44
OS: Debian GNU/Linux (Stretch)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (109.225.112.70)


slapd.conf(5) manpage (in both 2.4.44 and in current . 0f320b3 . master)
mentions that authz-policy's "all" flag requires both source and destinations
authorizations rules to succeed.  However if the source rule (the authentication
identity's "authzTo" attribute) fails but the destination rule (the
authorization identity's "authzFrom" attribute) succeeds, then the authorization
is granted, violating the intended semantics and possibly yielding unauthorized
access.  See the following log excerpt:

SASL proxy authorize [conn=1019]: authcid="authcid"
authzid="dn:uid=authzid,dc=example,dc=net"
==>slap_sasl_authorized: can uid=authcid,dc=example,dc=net become
uid=authzid,dc=example,dc=net?
==>slap_sasl_check_authz: does uid=authzid,dc=example,dc=net match authzTo
rule
in uid=authcid,dc=example,dc=net?
<==slap_sasl_check_authz: authzTo check returning 50
==>slap_sasl_check_authz: does uid=authcid,dc=example,dc=net match authzFrom
rule in uid=authzid,dc=example,dc=net?
<===slap_sasl_match: comparison returned 0
<==slap_sasl_check_authz: authzFrom check returning 0
<== slap_sasl_authorized: return 0
conn=1019 op=1 BIND authcid="authcid"
authzid="dn:uid=authzid,dc=example,dc=net"
SASL Authorize [conn=1019]:  proxy authorization allowed
authzDN="uid=authzid,dc=example,dc=net"

AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized(), and
is also present in master.  Here is a naive patch that fails the authorization
if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_policy.

--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op,
        if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) )
{
            goto DONE;
        }
+        else if( rc != LDAP_SUCCESS && (authz_policy &
SASL_AUTHZ_AND) ) {
+         rc = LDAP_INAPPROPRIATE_AUTH;
+         goto DONE;
+     }
    }
 
    /* Check destination rules */

Followup 1

Download message
Subject: Re: (ITS#8909) "authz-policy all" works as "authz-policy any",
 possibly yielding unauthorized access
To: guilhem@fripost.org, openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Wed, 29 Aug 2018 01:14:51 +0100
guilhem@fripost.org wrote:
> Full_Name: Guilhem Moulin
> Version: 2.4.44
> OS: Debian GNU/Linux (Stretch)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (109.225.112.70)
>=20
>=20
> slapd.conf(5) manpage (in both 2.4.44 and in current =E2=80=94 0f320b3 =
=E2=80=94 master)
> mentions that authz-policy's "all" flag requires both source and destin=
ations
> authorizations rules to succeed.  However if the source rule (the authe=
ntication
> identity's "authzTo" attribute) fails but the destination rule (the
> authorization identity's "authzFrom" attribute) succeeds, then the auth=
orization
> is granted, violating the intended semantics and possibly yielding unau=
thorized
> access.  See the following log excerpt:

Thanks for the report. Looks like this has been present since commit 1137=
27ba.
Fixed now in git master

>=20
> SASL proxy authorize [conn=3D1019]: authcid=3D"authcid"
> authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
> =3D=3D>slap_sasl_authorized: can uid=3Dauthcid,dc=3Dexample,dc=3Dnet be=
come
> uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
> =3D=3D>slap_sasl_check_authz: does uid=3Dauthzid,dc=3Dexample,dc=3Dnet =
match authzTo rule
> in uid=3Dauthcid,dc=3Dexample,dc=3Dnet?
> <=3D=3Dslap_sasl_check_authz: authzTo check returning 50
> =3D=3D>slap_sasl_check_authz: does uid=3Dauthcid,dc=3Dexample,dc=3Dnet =
match authzFrom
> rule in uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
> <=3D=3D=3Dslap_sasl_match: comparison returned 0
> <=3D=3Dslap_sasl_check_authz: authzFrom check returning 0
> <=3D=3D slap_sasl_authorized: return 0
> conn=3D1019 op=3D1 BIND authcid=3D"authcid"
> authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
> SASL Authorize [conn=3D1019]:  proxy authorization allowed
> authzDN=3D"uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
>=20
> AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized=
(), and
> is also present in master.  Here is a naive patch that fails the author=
ization
> if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_p=
olicy.
>=20
> --- a/servers/slapd/saslauthz.c
> +++ b/servers/slapd/saslauthz.c
> @@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op,
>          if( rc =3D=3D LDAP_SUCCESS && !(authz_policy &
SASL_AUTHZ_AND)=
 ) {
>              goto DONE;
>          }
> +        else if( rc !=3D LDAP_SUCCESS && (authz_policy &
SASL_AUTHZ_AN=
D) ) {
> +         rc =3D LDAP_INAPPROPRIATE_AUTH;
> +         goto DONE;
> +     }
>      }
>  =20
>      /* Check destination rules */
>=20
>=20


--=20
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/



Followup 2

Download message
Date: Wed, 29 Aug 2018 02:45:10 +0200
From: Guilhem Moulin <guilhem@fripost.org>
To: Howard Chu <hyc@symas.com>
Cc: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8909) "authz-policy all" works as "authz-policy any",
 possibly yielding unauthorized access
On Wed, 29 Aug 2018 at 01:14:51 +0100, Howard Chu wrote:
> Thanks for the report. Looks like this has been present since commit
> 113727ba.  Fixed now in git master

Thanks for the quick fix!  Not sure why rc's value is preserved here but
set to LDAP_INAPPROPRIATE_AUTH in all other failing cases, though.  But
that doesn't seem to matter beside debug logs now showing a return value
other than 48, disclosing the actual reason of the failure; for instance

    <== slap_sasl_authorized: return 16
    SASL Proxy Authorize [conn=1022]: proxy authorization disallowed (16)

for a missing authTo under authz-policy "all".

-- 
Guilhem.



Followup 3

Download message
Subject: Re: (ITS#8909) "authz-policy all" works as "authz-policy any",
 possibly yielding unauthorized access
To: Guilhem Moulin <guilhem@fripost.org>
Cc: openldap-its@OpenLDAP.org
From: Howard Chu <hyc@symas.com>
Date: Wed, 29 Aug 2018 02:04:27 +0100
Guilhem Moulin wrote:
> On Wed, 29 Aug 2018 at 01:14:51 +0100, Howard Chu wrote:
>> Thanks for the report. Looks like this has been present since commit
>> 113727ba.  Fixed now in git master
> 
> Thanks for the quick fix!  Not sure why rc's value is preserved here but
> set to LDAP_INAPPROPRIATE_AUTH in all other failing cases, though.  But
> that doesn't seem to matter beside debug logs now showing a return value
> other than 48, disclosing the actual reason of the failure; for instance
> 
>      <== slap_sasl_authorized: return 16
>      SASL Proxy Authorize [conn=1022]: proxy authorization disallowed (16)
> 
> for a missing authTo under authz-policy "all".
> 
Probably not a bad thing overall, but for consistency it's now patched
to set INAPPROPRIATE_AUTH as with the other cases.

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org