[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#5884) disclose ACL not safe on non-leaf objects
andrew.findlay@skills-1st.co.uk wrote:
> Full_Name: Andrew Findlay
> Version: HEAD 12 Jan 2009
> OS: Linux
> URL:
> Submission from: (NULL) (88.97.25.132)
>
>
> Using ACLs to make a non-leaf object non-disclosable does not protect
> the subtree beneath that object.
>
> This is not what most people would expect (if I cannot see a given object
> then I would not expect to see things underneath it). It also provides
> a handy attack on supposedly non-detectable entries.
>
> For example, if I have a DIT like this:
>
> dc=example,dc=org--+
> +--dc=a--+
> | +--dc=people--+
> | +--cn=a1
> |
> +--dc=b--+
> +--dc=people--+
> +--cn=b1
>
> and I give read access on dc=example,dc=org (base)
> and on dc=a,dc=example,dc=org (subtree)
> and dc=people,dc=b,dc=example,dc=org (subtree)
> but no access at all on dc=b,dc=example,dc=org
> then I would not expect to be able to read the cn=b1 entry, as doing so would
> expose the existence of dc=b.
>
> What actually happens is that any attempt to read dc=b itself returns
> correctly as if the entry does not exist, but a simple subtree search
> happily returns cn=b1.
Which is the natural outcome of granting read access to the dc=people subtree.
If you want the server's behavior to make sense, then give it ACLs that make
sense.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/