[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-dynlist desgin question(s)

--On Saturday, January 13, 2007 11:03 AM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

It seems that your problem is caused by the fact that slapo-dynlist(5)
implements compare on dynamically generated data by performing an
internal search to collect info that before being used, or anyway
accessed,  will be subjected to further access control with the identity
of the effective user.  The reason an internal search is used in that
case seems to be essentially related to code reuse, so slapo-dynlist(5)
should be redesigned to avoid using internal searches in those
circumstances, so that the correct access privilege is assessed (e.g.
compare vs. search/read).  Using the rootdn to generate the list, and
then check access to the list itself may not be correct, because the
dynamic list could become a means to circumvent access control to the
actual data; think of a case where the effective user has no privileges
on the actual data, but has compare, or even read access to the
dynamically generated list.  Then, if the list were generated as rootdn,
the user would be able to compare, or even read, on data that is a
derivative of otherwise inaccessible data.  I would consider this a
violation of data integrity.

The attached patch modifies ACL code such that the access privilege to be
used can be specified (e.g. adding a o_acl_priv which is used for all
checking if != ACL_NONE.  I picked ACL_NONE because it's zero;
ACL_INVALID_ACCESS would be more appropriate, but then we'd need to
initialize all Operation structures...)

This patch also does not work, continuing to use the credentials of the bound user.

=> acl_mask: access to entry "suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu", attr "suPrivilegeGroup" requested
=> acl_mask: to value by "uid=cadabra,cn=accounts,dc=stanford,dc=edu", (=0)
<= check a_set_pat: this/uid & user/uid
=> ldap_bv2dn(suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu,0)
<= ldap_bv2dn(suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu)=0
<<< dnNormalize: <suRegID=000648cb784048849a1573566ffe0ef8,cn=people,dc=stanford,dc=edu>
dnNormalize: <uid=cadabra,cn=accounts,dc=stanford,dc=edu>
=> ldap_bv2dn(uid=cadabra,cn=accounts,dc=stanford,dc=edu,0)
<= ldap_bv2dn(uid=cadabra,cn=accounts,dc=stanford,dc=edu)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(uid=cadabra,cn=accounts,dc=stanford,dc=edu)=0
<<< dnNormalize: <uid=cadabra,cn=accounts,dc=stanford,dc=edu>
=> bdb_entry_get: ndn: "uid=cadabra,cn=accounts,dc=stanford,dc=edu"
=> bdb_entry_get: oc: "(null)", at: "uid"
=> bdb_entry_get: found entry: "uid=cadabra,cn=accounts,dc=stanford,dc=edu"
bdb_entry_get: rc=0
<= acl_mask: no more <who> clauses, returning =0 (stop)
=> slap_access_allowed: search access denied by =0
=> access_allowed: no more rules


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html