[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4556) ACLs related to the content of *new* entries



ahasenack@terra.com.br wrote:
> On Fri, May 19, 2006 at 09:55:22PM +0000, hyc@symas.com wrote:
>   
>> The scenario you describe is mitigated though, because no users can read 
>> any attributes besides those that are in the dnsZone objectclass.
>>     
>
> That depends on the rest of the acls, no? And at the least the DNS Admins could
> become root. Of course there could be other ways for them to get root already,
> being the master of DNS. DNS was just an example. The idea is to prevent
> configuration accidents.
>   

The ACL clause you provided was quite complete:

access to dn.sub="ou=dns,@SUFFIX@"
	attrs=children,entry,@dNSZone
	by group.exact="cn=DNS Admins,ou=System Groups,@SUFFIX@" write
        by * read


The only way for anybody to be able to read anything besides dNSZone 
attributes under this subtree is if you explicitly add another ACL 
clause to allow that.  If you're only expecting to create dNSZone 
objects under this subtree, then you have no reason to write additional 
ACL clauses for this subtree. I.e., you can only create a security hole 
here if you really want to, and if you really want to, that's your decision.

-- 
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sun        http://highlandsun.com/hyc
  OpenLDAP Core Team            http://www.openldap.org/project/