[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Anyone can add entries?

To: Mark Adamson <adamson@andrew.cmu.edu>
Subject: Re: Anyone can add entries?
From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Date: Thu, 20 Jul 2000 13:56:05 -0700
Cc: openldap-bugs@OpenLDAP.org
In-reply-to: <Pine.SOL.3.96L.1000720153349.22330Q-100000@nil.andrew.cmu. edu>

That be a bug... try this patch (may take 15min to replicate)
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/acl.c.diff?r1=1.77&r2=1.78

At 03:48 PM 7/20/00 -0400, Mark Adamson wrote:
>I'm looking at the ACLs in the OpenLDAP Beta release, downloaded a few
>days ago. I notice that anyone can add an entry to the slapd db, with no
>authentication, regardless of how I set the ACL's.
>
>I execute a command like this on some client:
>
>  % /usr/openldap/bin/ldapadd -h ldapserver -f addme
>
>Where the file "addme" adds an entry with a DN
>
>  "UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"
>
>
>The slapd log, using debugging level 384 (128+256) says this:
>
>
>Backend ACL: access to *
>        by * none (=n)
>
>slapd starting
>daemon: conn=0 fd=7 connection from IP=128.2.122.223:44891 (IP=0.0.0.0:389) accepted.
>conn=0 op=0 BIND dn="" method=128
>ber_flush: 14 bytes to sd 7
>conn=0 op=0 RESULT tag=97 err=0 text=
>conn=0 op=1 ADD dn="UID=ADAMSON,OU=ACCOUNT,DC=ANDREW,DC=CMU,DC=EDU"
>=> access_allowed: write access to "ou=Account, dc=andrew, dc=cmu, dc=edu" "children" requested
>NoUserMod Operational attribute: children access granted
>ber_flush: 14 bytes to sd 7
>conn=0 op=1 RESULT tag=105 err=0 text=
>conn=0 op=2 UNBIND
>conn=-1 fd=7 closed
>
>
>
>Apparently, the "children" attributetype given in the core.schema sets a
>flag NO-USER-MODIFICATION. Then in access_allowed() in servers/slapd/acl.c, 
>around line 118, if WRITE access is requested and that flag is set,
>access_allowed()  returns "yes, do it".
>
>        /*
>        * no-user-modification operational attributes are ignored
>        * by ACL_WRITE checking as any found here are not provided
>        * by the user
>        */
>        if ( access >= ACL_WRITE && is_at_no_user_mod( desc->ad_type ) )
>        {
>                Debug( LDAP_DEBUG_ACL, "NoUserMod Operational attribute:"
>                        " %s access granted\n",
>                        attr, 0, 0 );
>                return 1;
>        }
>
>
>
>It seems on one can control who can add an entry to my slapd database.
>
>
>
>  -Mark Adamson
>   Carnegie Mellon

Follow-Ups:
- Is it a miracle?
  - From: "Jagannatha Reddy" <jagan@datamain.com>

Prev by Date: Anyone can add entries?
Next by Date: Is it a miracle?
Index(es):
- Chronological
- Thread