[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3472) return code should be 32 when no access to object

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: (ITS#3472) return code should be 32 when no access to object
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 13 Jan 2005 09:18:22 +0100
Cc: quanah@stanford.edu, openldap-devel@OpenLDAP.org
References: <200501080059.j080xbi0027275@boole.openldap.org> <6.2.0.14.0.20050107202757.02a4d308@mail.openldap.org> <41E146F2.8060607@sys-net.it> <6.2.0.14.0.20050109210804.02808150@mail.openldap.org> <41E3D5BE.80803@sys-net.it> <6.2.0.14.0.20050112210540.065fa888@mail.openldap.org>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Kurt D. Zeilenga wrote:

At 05:33 AM 1/11/2005, Pierangelo Masarati wrote:
Kurt D. Zeilenga wrote:
However, "disclose on error" (disclose) and "don't disclose on error" (none) can be implemented now in backends.

To clarify:
I'm not sure your clarification helps.
First, with this new functionality, nothing should be changed outside of error handling. When an error does occur,

not just in case of error; consider the case of plain search. If one has no permissions on the entire database, whatever search will result in no searchEntry results, but in a successful result. This means that at least the baseObject exists, but one doesn't have any access to it or to any of its subordinate objects. This is not an error, but yet requires some disclose access checking. I'd favor the idea of turning this case into an error, noSuchObject. Moreover, the data that's returned, e.g. a matchedDN, a referral and so should be subjected to disclose access.

then one
has to determine, for each piece of information to be returned,
whether the user is authorized to have that information
disclosed to it.

Of course we need to make sure we're not defeating the purpose the other way: if real noSuchObject cases always return a matchedDN, and access-related noSuchObject cases don't, its absence would be a clear indication that it is very likely that the object is very likely to exist.

If the information pertains to an attribute type, then we need to look at "disclose" on the attribute type. If the information pertains to the name of some entry (the target or nearest superior), then we need to look at "disclose" on that entry.

Well, in principle I'd agree, but this defeats the purpose of disallowing disclosure about the existence of an object, not just a value. If one wants to hide the existence of an object, operations like compare, which only check about permissions for a specific attribute:value would allow to determine the existence of an object, based on the returned code; returning noSuchAttribute if dislose is not granted on the attribute implies that the object exists. Similar considerations seem to apply to most of the write operations.

I'll wrap my recent changes into some #define SLAP_HONOR_DISCLOSE flag, so we can experiment a bit without impacting too much the rest of the development.

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: (ITS#3472) return code should be 32 when no access to object
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- Re: (ITS#3472) return code should be 32 when no access to object
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: (ITS#3472) return code should be 32 when no access to object
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: (ITS#3472) return code should be 32 when no access to object
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
- Re: (ITS#3472) return code should be 32 when no access to object
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: (ITS#3472) return code should be 32 when no access to object
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: commit: ldap/ configure configure.in
Next by Date: Re: Success Story: Perl Backend
Index(es):
- Chronological
- Thread