[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)



It seems that your problem is caused by the fact that slapo-dynlist(5) implements compare on dynamically generated data by performing an internal search to collect info that before being used, or anyway accessed, will be subjected to further access control with the identity of the effective user. The reason an internal search is used in that case seems to be essentially related to code reuse, so slapo-dynlist(5) should be redesigned to avoid using internal searches in those circumstances, so that the correct access privilege is assessed (e.g. compare vs. search/read). Using the rootdn to generate the list, and then check access to the list itself may not be correct, because the dynamic list could become a means to circumvent access control to the actual data; think of a case where the effective user has no privileges on the actual data, but has compare, or even read access to the dynamically generated list. Then, if the list were generated as rootdn, the user would be able to compare, or even read, on data that is a derivative of otherwise inaccessible data. I would consider this a violation of data integrity.

The attached patch modifies ACL code such that the access privilege to be used can be specified (e.g. adding a o_acl_priv which is used for all checking if != ACL_NONE. I picked ACL_NONE because it's zero; ACL_INVALID_ACCESS would be more appropriate, but then we'd need to initialize all Operation structures...)

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Index: servers/slapd/acl.c
===================================================================
RCS file: /home/cvs/imux/ldap/servers/slapd/acl.c,v
retrieving revision 1.1.1.12
diff -u -r1.1.1.12 acl.c
--- servers/slapd/acl.c	8 Jan 2007 22:27:18 -0000	1.1.1.12
+++ servers/slapd/acl.c	13 Jan 2007 09:51:38 -0000
@@ -359,7 +359,10 @@
 	assert( attr != NULL );
 
 	if ( op ) {
-		if ( op->o_is_auth_check &&
+		if ( op->o_acl_priv != ACL_NONE ) {
+			access = op->o_acl_priv;
+
+		} else if ( op->o_is_auth_check &&
 			( access_level == ACL_SEARCH || access_level == ACL_READ ) )
 		{
 			access = ACL_AUTH;
Index: servers/slapd/slap.h
===================================================================
RCS file: /home/cvs/imux/ldap/servers/slapd/slap.h,v
retrieving revision 1.24
diff -u -r1.24 slap.h
--- servers/slapd/slap.h	8 Jan 2007 23:31:38 -0000	1.24
+++ servers/slapd/slap.h	13 Jan 2007 09:51:39 -0000
@@ -2449,6 +2449,7 @@
 	GroupAssertion *o_groups;
 	char o_do_not_cache;	/* don't cache groups from this op */
 	char o_is_auth_check;	/* authorization in progress */
+	slap_access_t o_acl_priv;
 
 	char o_nocaching;
 	char o_delete_glue_parent;
Index: servers/slapd/overlays/dynlist.c
===================================================================
RCS file: /home/cvs/imux/ldap/servers/slapd/overlays/dynlist.c,v
retrieving revision 1.6
diff -u -r1.6 dynlist.c
--- servers/slapd/overlays/dynlist.c	8 Jan 2007 23:31:38 -0000	1.6
+++ servers/slapd/overlays/dynlist.c	13 Jan 2007 09:51:39 -0000
@@ -612,6 +612,8 @@
 		o.ors_attrs = an;
 		o.ors_attrsonly = 0;
 
+		o.o_acl_priv = ACL_COMPARE;
+
 		rc = o.o_bd->be_search( &o, &r );
 		filter_free_x( &o, o.ors_filter );