[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels
From: quanah@symas.com
Date: Wed, 24 Jul 2019 21:45:52 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

For informational purposes, here's additional detail as the subject and 
original problem description do not fully capture the extend of the 
problem.  In all 2.x releases prior to 2.4.48 (I.e., 2.0.x, 2.1.x, 2.2.x, 
2.3.x, and 2.4.x up to 2.4.47), the SASL security factor layer was set 
globally rather than per connection.  So once a connection had been made 
that sets a SASL SSF, any and all non SASL connections would inherit that 
value.

If ACLs are used to limit access via setting restrictions with the sasl_ssf 
parameter, connections with no sasl_ssf could match those ACLs incorrectly.

For example,

access to *
 by users sasl_ssf=56 read
 by users tls_ssf=128 read
 by * none

Would allow a user who bound without any encryption full access to the 
database as long as one SASL connection had been made that had a minimum 
sasl_ssf value of 56.

Another contrived example:

access to attrs=userPassword
 by self sasl_ssf=56 =xw
 by * auth

Would allow a user to change their own password whether or not they had 
performed a SASL bind with a sasl_ssf of 56.


--Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Prev by Date: ITS#9052 published: SECURITY: ACL protections get lost if same identity uses different SSF levels
Next by Date: Re: (ITS#9052) ACL protections get lost if same identity uses different SSF levels
Index(es):
- Chronological
- Thread