[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4556) ACLs related to the content of *new* entries

On Fri, May 19, 2006 at 09:55:22PM +0000, hyc@symas.com wrote:
> > I would like for these members to not be able to create entries under ou=dns
> > other than those with the dNSZone OC and its attributes. This would minimize
> > risks in setups where, for example, nss_ldap was wrongly configured to do
> > subtree searches starting at @SUFFIX@. This would be a security issue, because
> > the DNS Admins could create a posixAccount entry under ou=dns and give anyone
> > they want root access (uidNumber 0).
> >
> > Having the ability to prevent the creation of specific entries would help
> > prevent such scenarios.
> The scenario you describe is mitigated though, because no users can read 
> any attributes besides those that are in the dnsZone objectclass.

That depends on the rest of the acls, no? And at the least the DNS Admins could
become root. Of course there could be other ways for them to get root already,
being the master of DNS. DNS was just an example. The idea is to prevent
configuration accidents.

Anyway, it's not too difficult to fall into this trap when granting (groups of)
users the right to create new entries. I have no idea how common this scenario
is, I just came accross it while trying to delegate some administrative tasks
to others.