[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ldapACI permissions
> < djb > I agree with your analysis that having both delete and add
> permission on the object essentially means that one could delete the
> object, and re-add it, filling in attributes, and access control as it
> liked. If the concern is that users would circumvent the access
control
> checks by doing this sort of thing, I might suggest that an auditing
> facility is needed for that directory.
> Is the suggestion here that when creating an entry, a user can only set
> the values on those attributes to which he also has 'write' permission?
> Does this also mean the user needs 'write/delete' permission on all
> attributes which have values when he is deleting the entry?
I think both 'add' on entry and 'write' on attributes SHOULD be checked
when creating an entry. Otherwise there is no way to prevent a user with
'add' permission only from filling in ldapACI or other security-sensitive
attribute values.
Auditing can help detecting the problem( after the fact), but shouldn't be
a substitue for access checking.