[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ITS#8866 (was: ITS review 6/14/2019)

To: Michael Ströder <michael@stroeder.com>, openldap-devel@openldap.org
Subject: Re: ITS#8866 (was: ITS review 6/14/2019)
From: Howard Chu <hyc@symas.com>
Date: Thu, 27 Jun 2019 17:37:39 +0100
In-reply-to: <5ad967e3-6fb0-de23-0dc6-02a870d49cd0@stroeder.com>
References: <75C436AED8239707278A1D62@[192.168.1.39]> <748a7925-8b5c-7bbd-9dd4-cafd4e65b3c8@stroeder.com> <dc97ce2b-8425-9d36-fac2-107a5ca63f63@symas.com> <8af78261-f4dc-4512-ada7-2d1f5d032c61@stroeder.com> <5ad967e3-6fb0-de23-0dc6-02a870d49cd0@stroeder.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0 SeaMonkey/2.53

Michael Ströder wrote:
> On 6/27/19 6:23 PM, Michael Ströder wrote:
>> On 6/27/19 6:18 PM, Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> On 6/14/19 5:15 PM, Quanah Gibson-Mount wrote:
>>>>> Thanks to Ondrej, this list is a bit shorter now. :)
>>>>
>>>> But one more I'd love to see in 2.4.48:
>>>>
>>>> ITS#8866: RFE: slapo-constraint to return filter used in diagnostic message
>>>>
>>>> https://www.openldap.org/its/index.cgi?findid=8866
>>>
>>> I don't believe the information disclosure issues have been
>>> sufficiently answered there. Overall it's a bad idea and goes against
>>> our standing policy of minimal disclosure.
>> Sorry, you already have the disclosure.
>>
>> Citing from my old e-mail found here:
>> https://www.openldap.org/lists/openldap-devel/201711/msg00003.html
>>
>>> But this problem exists anyway because an attacker can probe
>>> values by adding entries with non-unique attributes and determine
>>> whether an attribute value exists or not by distinguishing the result
>>> code constraintViolation(19) vs. insufficientAccessRights(50).
>>> Even worse this even works in case the attacker does not have read
>>> access anywhere!

Then that's a bug that should be fixed.
> 
> Furthermore the security of a system should not rely on confidentiality
> of the configuration. E.g. with Æ-DIR the config is publicly known.

That was your choice to decide for yourself. Not for everyone else though.
The default behavior has always been to restrict viewing of the config
to administrators. I see no reason to change this policy.

> Also note I'm usually blamed for making directory contents too confidential.
> 
> Ciao, Michael.
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: ITS#8866 (was: ITS review 6/14/2019)
  - From: Michael Ströder <michael@stroeder.com>

References:
- ITS review 6/14/2019
  - From: Quanah Gibson-Mount <quanah@symas.com>
- ITS#8866 (was: ITS review 6/14/2019)
  - From: Michael Ströder <michael@stroeder.com>
- Re: ITS#8866 (was: ITS review 6/14/2019)
  - From: Howard Chu <hyc@symas.com>
- Re: ITS#8866 (was: ITS review 6/14/2019)
  - From: Michael Ströder <michael@stroeder.com>
- Re: ITS#8866 (was: ITS review 6/14/2019)
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: ITS#8866 (was: ITS review 6/14/2019)
Next by Date: Re: ITS#8866 (was: ITS review 6/14/2019)
Index(es):
- Chronological
- Thread