[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access

To: openldap-its@OpenLDAP.org
Subject: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
From: guilhem@fripost.org
Date: Tue, 28 Aug 2018 23:41:41 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Guilhem Moulin
Version: 2.4.44
OS: Debian GNU/Linux (Stretch)
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (109.225.112.70)


slapd.conf(5) manpage (in both 2.4.44 and in current ? 0f320b3 ? master)
mentions that authz-policy's "all" flag requires both source and destinations
authorizations rules to succeed.  However if the source rule (the authentication
identity's "authzTo" attribute) fails but the destination rule (the
authorization identity's "authzFrom" attribute) succeeds, then the authorization
is granted, violating the intended semantics and possibly yielding unauthorized
access.  See the following log excerpt:

SASL proxy authorize [conn=1019]: authcid="authcid"
authzid="dn:uid=authzid,dc=example,dc=net"
==>slap_sasl_authorized: can uid=authcid,dc=example,dc=net become
uid=authzid,dc=example,dc=net?
==>slap_sasl_check_authz: does uid=authzid,dc=example,dc=net match authzTo rule
in uid=authcid,dc=example,dc=net?
<==slap_sasl_check_authz: authzTo check returning 50
==>slap_sasl_check_authz: does uid=authcid,dc=example,dc=net match authzFrom
rule in uid=authzid,dc=example,dc=net?
<===slap_sasl_match: comparison returned 0
<==slap_sasl_check_authz: authzFrom check returning 0
<== slap_sasl_authorized: return 0
conn=1019 op=1 BIND authcid="authcid"
authzid="dn:uid=authzid,dc=example,dc=net"
SASL Authorize [conn=1019]:  proxy authorization allowed
authzDN="uid=authzid,dc=example,dc=net"

AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized(), and
is also present in master.  Here is a naive patch that fails the authorization
if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_policy.

--- a/servers/slapd/saslauthz.c
+++ b/servers/slapd/saslauthz.c
@@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op,
        if( rc == LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND) ) {
            goto DONE;
        }
+        else if( rc != LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AND) ) {
+         rc = LDAP_INAPPROPRIATE_AUTH;
+         goto DONE;
+     }
    }
 
    /* Check destination rules */

Prev by Date: Re: (ITS#8650) EAGAIN from gnutls_handshake not respected
Next by Date: Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
Index(es):
- Chronological
- Thread