[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5884) disclose ACL not safe on non-leaf objects

andrew.findlay@skills-1st.co.uk wrote:
> Full_Name: Andrew Findlay
> Version: HEAD 12 Jan 2009
> OS: Linux
> URL:
> Submission from: (NULL) (
> Using ACLs to make a non-leaf object non-disclosable does not protect
> the subtree beneath that object.
> This is not what most people would expect (if I cannot see a given object
> then I would not expect to see things underneath it). It also provides
> a handy attack on supposedly non-detectable entries.
> For example, if I have a DIT like this:
> dc=example,dc=org--+
>                     +--dc=a--+
>                     |        +--dc=people--+
>                     |                      +--cn=a1
>                     |
>                     +--dc=b--+
>                              +--dc=people--+
>                                            +--cn=b1
> and I give read access on dc=example,dc=org (base)
> and on dc=a,dc=example,dc=org (subtree)
> and dc=people,dc=b,dc=example,dc=org (subtree)
> but no access at all on dc=b,dc=example,dc=org
> then I would not expect to be able to read the cn=b1 entry, as doing so would
> expose the existence of dc=b.
> What actually happens is that any attempt to read dc=b itself returns
> correctly as if the entry does not exist, but a simple subtree search
> happily returns cn=b1.

Which is the natural outcome of granting read access to the dc=people subtree.

If you want the server's behavior to make sense, then give it ACLs that make 

   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/