[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
From: hyc@symas.com
Date: Wed, 29 Aug 2018 00:15:02 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

guilhem@fripost.org wrote:
> Full_Name: Guilhem Moulin
> Version: 2.4.44
> OS: Debian GNU/Linux (Stretch)
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (109.225.112.70)
>=20
>=20
> slapd.conf(5) manpage (in both 2.4.44 and in current =E2=80=94 0f320b3 =
=E2=80=94 master)
> mentions that authz-policy's "all" flag requires both source and destin=
ations
> authorizations rules to succeed.  However if the source rule (the authe=
ntication
> identity's "authzTo" attribute) fails but the destination rule (the
> authorization identity's "authzFrom" attribute) succeeds, then the auth=
orization
> is granted, violating the intended semantics and possibly yielding unau=
thorized
> access.  See the following log excerpt:

Thanks for the report. Looks like this has been present since commit 1137=
27ba.
Fixed now in git master

>=20
> SASL proxy authorize [conn=3D1019]: authcid=3D"authcid"
> authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
> =3D=3D>slap_sasl_authorized: can uid=3Dauthcid,dc=3Dexample,dc=3Dnet be=
come
> uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
> =3D=3D>slap_sasl_check_authz: does uid=3Dauthzid,dc=3Dexample,dc=3Dnet =
match authzTo rule
> in uid=3Dauthcid,dc=3Dexample,dc=3Dnet?
> <=3D=3Dslap_sasl_check_authz: authzTo check returning 50
> =3D=3D>slap_sasl_check_authz: does uid=3Dauthcid,dc=3Dexample,dc=3Dnet =
match authzFrom
> rule in uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
> <=3D=3D=3Dslap_sasl_match: comparison returned 0
> <=3D=3Dslap_sasl_check_authz: authzFrom check returning 0
> <=3D=3D slap_sasl_authorized: return 0
> conn=3D1019 op=3D1 BIND authcid=3D"authcid"
> authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
> SASL Authorize [conn=3D1019]:  proxy authorization allowed
> authzDN=3D"uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
>=20
> AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized=
(), and
> is also present in master.  Here is a naive patch that fails the author=
ization
> if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_p=
olicy.
>=20
> --- a/servers/slapd/saslauthz.c
> +++ b/servers/slapd/saslauthz.c
> @@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op,
>          if( rc =3D=3D LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND)=
 ) {
>              goto DONE;
>          }
> +        else if( rc !=3D LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AN=
D) ) {
> +         rc =3D LDAP_INAPPROPRIATE_AUTH;
> +         goto DONE;
> +     }
>      }
>  =20
>      /* Check destination rules */
>=20
>=20


--=20
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

Prev by Date: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
Next by Date: Re: (ITS#8908) LMDB Documentation for MDB_XXX_MULTIPLE
Index(es):
- Chronological
- Thread