[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3639) Inconsistent access checking in back-shell?

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#3639) Inconsistent access checking in back-shell?
From: Kurt@OpenLDAP.org
Date: Fri, 8 Apr 2005 00:07:16 GMT

I forget why this check was added, but (as I recall) it
was purposely added.  The reasons to why likely can be
found in the commit log and/or -bugs/-devel list archives.
I'll try to dig about later...

Kurt

At 03:25 PM 4/7/2005, ando@sys-net.it wrote:
>Full_Name: Pierangelo Masarati
>Version: HEAD/2.3/2.2
>OS: Linux (whitebox)
>URL: ftp://ftp.openldap.org/incoming/
>Submission from: (NULL) (81.72.89.40)
>
>
>There appears to be an inconsistency between the behavior of back-shell and that
>of all the remaining backends with respect to access checking for the modify
>operation; back-shell appears to check for write permission to the entry
>pseudo-attribute before attempting to send modifications to the underlying
>script.  In general, access checking is pretty loose in preparing write
>operations for back-shell, but this may be regarded as necessary because of its
>intrinsic design limitations.  However, the highlighted behavior appears to be
>more over-restrictiveand inconsistent.
>
>p.

Prev by Date: Re: (ITS#3631) Implement granular write privileges
Next by Date: Re: (ITS#3637) ldap_search_s hangs in ldap_int_select over stunnel
Index(es):
- Chronological
- Thread