[Date Prev][Date Next]
Re: (ITS#5884) disclose ACL not safe on non-leaf objects
> Full_Name: Andrew Findlay
> Version: HEAD 12 Jan 2009
> OS: Linux
> Submission from: (NULL) (18.104.22.168)
> Using ACLs to make a non-leaf object non-disclosable does not protect
> the subtree beneath that object.
> This is not what most people would expect (if I cannot see a given object
> then I would not expect to see things underneath it). It also provides
> a handy attack on supposedly non-detectable entries.
> For example, if I have a DIT like this:
> | +--dc=people--+
> | +--cn=a1
> and I give read access on dc=example,dc=org (base)
> and on dc=a,dc=example,dc=org (subtree)
> and dc=people,dc=b,dc=example,dc=org (subtree)
> but no access at all on dc=b,dc=example,dc=org
> then I would not expect to be able to read the cn=b1 entry, as doing so would
> expose the existence of dc=b.
> What actually happens is that any attempt to read dc=b itself returns
> correctly as if the entry does not exist, but a simple subtree search
> happily returns cn=b1.
Which is the natural outcome of granting read access to the dc=people subtree.
If you want the server's behavior to make sense, then give it ACLs that make
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/