[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
- To: openldap-its@OpenLDAP.org
- Subject: Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
- From: hyc@symas.com
- Date: Wed, 29 Aug 2018 00:15:02 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
guilhem@fripost.org wrote:
> Full_Name: Guilhem Moulin
> Version: 2.4.44
> OS: Debian GNU/Linux (Stretch)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (109.225.112.70)
>=20
>=20
> slapd.conf(5) manpage (in both 2.4.44 and in current =E2=80=94 0f320b3 =
=E2=80=94 master)
> mentions that authz-policy's "all" flag requires both source and destin=
ations
> authorizations rules to succeed. However if the source rule (the authe=
ntication
> identity's "authzTo" attribute) fails but the destination rule (the
> authorization identity's "authzFrom" attribute) succeeds, then the auth=
orization
> is granted, violating the intended semantics and possibly yielding unau=
thorized
> access. See the following log excerpt:
Thanks for the report. Looks like this has been present since commit 1137=
27ba.
Fixed now in git master
>=20
> SASL proxy authorize [conn=3D1019]: authcid=3D"authcid"
> authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
> =3D=3D>slap_sasl_authorized: can uid=3Dauthcid,dc=3Dexample,dc=3Dnet be=
come
> uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
> =3D=3D>slap_sasl_check_authz: does uid=3Dauthzid,dc=3Dexample,dc=3Dnet =
match authzTo rule
> in uid=3Dauthcid,dc=3Dexample,dc=3Dnet?
> <=3D=3Dslap_sasl_check_authz: authzTo check returning 50
> =3D=3D>slap_sasl_check_authz: does uid=3Dauthcid,dc=3Dexample,dc=3Dnet =
match authzFrom
> rule in uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
> <=3D=3D=3Dslap_sasl_match: comparison returned 0
> <=3D=3Dslap_sasl_check_authz: authzFrom check returning 0
> <=3D=3D slap_sasl_authorized: return 0
> conn=3D1019 op=3D1 BIND authcid=3D"authcid"
> authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
> SASL Authorize [conn=3D1019]: proxy authorization allowed
> authzDN=3D"uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
>=20
> AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized=
(), and
> is also present in master. Here is a naive patch that fails the author=
ization
> if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_p=
olicy.
>=20
> --- a/servers/slapd/saslauthz.c
> +++ b/servers/slapd/saslauthz.c
> @@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op,
> if( rc =3D=3D LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND)=
) {
> goto DONE;
> }
> + else if( rc !=3D LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AN=
D) ) {
> + rc =3D LDAP_INAPPROPRIATE_AUTH;
> + goto DONE;
> + }
> }
> =20
> /* Check destination rules */
>=20
>=20
--=20
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/