Re: authzTo ACL check for wrong principal (ITS#5555)

[ando@sys-net.it]

Gavin Henry wrote:
>> On Mon, Jun 16, 2008 at 02:29:21PM +0000, Andrew Findlay wrote:
>>
>>> Thus I think my original report was wrong. This is a documentation
>>> issue, not a bug.
>> I have uploaded a suggested set of patches to make the behaviour
>> clearer:
>>
>> 	ftp://ftp.openldap.com/incoming/andrew.findlay-20080616.patch
>>
>> The patch is against 2.4.10
>>
>> It might be better still to factor out the concept of proxy
>> authorisation and its control from the SASL authz mechanism, as it
>> applies also to the LDAP Proxied Authorization Control.
>> I have not done this as I was unsure where best to put it.
> 
> Hi Ando,
> 
> If you get a chance at some point, could you review this patch and I'll apply it
> etc.

After a quick look, it seems to be a good starting point.  I'd be a 
little bit more careful about wording: "proxyAuthz" should probably be 
"proxied authorization"; the first time it is mentioned, a reference to 
RFC4370 should be present, both in slapd.access(5) and in the Admin 
Guide (as in the SASL section).

Also, in the contribution to the Admin Guide it is sometimes referred to 
as the "proxy facility"; I'd rather use "proxied authorization facility" 
or better "proxied authorization control".

Finally, the patch seems to correctly explain what is required in order 
to authorize.  I'd add a strong comment on the importance to protect 
authzFrom and especially authzTo from malicious writes, that could 
result in lesser privileged identities to modify their own entry in 
order to be able to self-authorize as higher privileged identities. 
Administrators should be warned as they start reading about this feature.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------