[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: [ldapext] draft-zeilenga-ldap-assert-05 notes

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Sun, 27 Feb 2005 22:14:21 +0100
Cc: ldapext@ietf.org
In-reply-to: <6.2.0.14.0.20050226100641.09d60c50@mail.openldap.org>
References: <hbf.20050223mdue@bombur.uio.no> <6.2.0.14.0.20050223215702.06a15670@mail.openldap.org> <hbf.20050224w3mu@bombur.uio.no> <6.2.0.14.0.20050225115120.098910e0@mail.openldap.org> <hbf.20050226nvf6@bombur.uio.no> <6.2.0.14.0.20050226100641.09d60c50@mail.openldap.org>

Kurt D. Zeilenga writes:
>At 08:55 AM 2/26/2005, Hallvard B Furuseth wrote:
>>Kurt D. Zeilenga writes:
>>> (...)
>>> I think it would be reasonable to allow a user authorized to
>>> perform a modify to make that modify conditional.
>>
>> I hope not, if you mean conditional on any part of the entry.  Then if I
>> have Modify access to attribute <foo> in an entry but attribute <bar> is
>> hidden from read/search/compare by access controls, I can subvert those
>> access controls by e.g. trying remove a non-existent value from <foo> or
>> modify it to contain the same value as before, conditional on a <bar>
>> filter.  noSuchAttribute or success reveal that the filter matches the
>> "hidden" value of <bar>.  assertionFailed reveals that it does not.
>
> Ah, but the client could have used its modify rights to do:
>         changetype: modify
>         delete: foo
>         foo: bar
>         -
>         add: foo
>         foo: bar
>         -
>
> To see if that hidden <bar> exists.  Or:
>         control: no-op
>         changetype: modify
>         add: foo
>         foo: bar
>         -

Huh?  None of these refer to attribute bar, only to an attribute value
of foo.

> My point here is that "right to modify" often implies a right
> to make assertions, at least certain kinds of assertions, as
> these assertions are necessary to perform the operation.

Yes.  Still, only equality assertions, which fits Compare access
more than general search (filter) access.

>> Come to think of it, that can work even without Modify access.  Getting
>> insufficientAccessRights instead of assertionFailed can reveal that the
>> assertion succeeded, unless the server implementor took care to check
>> all access controls before checking the assertion.
>
> The access control model may have "don't disclose on error"
> provisions.

True enough.

> (...)

-- 
Hallvard

_______________________________________________
Ldapext mailing list
Ldapext@ietf.org
https://www1.ietf.org/mailman/listinfo/ldapext

Follow-Ups:
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: John McMeeking <jmcmeek@us.ibm.com>

References:
- [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [ldapext] Trace control (was: comment control, dummy request, no-response request)
Next by Date: Re: [ldapext] draft-zeilenga-ldap-assert-05 notes
Index(es):
- Chronological
- Thread