Full_Name: Howard Chu Version: 2.3/HEAD OS: URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (24.126.120.178) Submitted by: hyc An ACL of the form access to dn.subtree="ou=groups,dc=example,dc=com" attr=member by * selfwrite is intended to only allow users to add/delete their own DN to the target attribute. Currently it allows any DNs to be modified.
changed notes changed state Open to Test moved from Incoming to Software Bugs
On Tuesday 13 June 2006 03:17, hyc@openldap.org wrote: > Full_Name: Howard Chu > Version: 2.3/HEAD > OS: > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (24.126.120.178) > Submitted by: hyc > > > An ACL of the form > access to dn.subtree="ou=groups,dc=example,dc=com" attr=member by * > selfwrite > > is intended to only allow users to add/delete their own DN to the target > attribute. Currently it allows any DNs to be modified. Current HEAD code still allows the following LDAPMod e.g. for user "uid=user,ou=people,dc=example,dc=com" dn: cn=testgroup,ou=groups,dc=example,dc=com add: member member: uid=user,ou=people,dc=example,dc=com member: uid=otheruser,ou=people,dc=example,dc=com -- Ralf
On Tuesday 13 June 2006 03:17, hyc@openldap.org wrote: >> Full_Name: Howard Chu >> Version: 2.3/HEAD >> OS: >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (24.126.120.178) >> Submitted by: hyc >> >> >> An ACL of the form >> access to dn.subtree="ou=groups,dc=example,dc=com" attr=member by * >> selfwrite >> >> is intended to only allow users to add/delete their own DN to the target >> attribute. Currently it allows any DNs to be modified. >> > > The selfwrite mode is still broken for sets. access to <foo> by set=<bar> selfwrite gives full write access. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
On Monday 26 June 2006 14:31, hyc@symas.com wrote: > On Tuesday 13 June 2006 03:17, hyc@openldap.org wrote: > >> Full_Name: Howard Chu > >> Version: 2.3/HEAD > >> OS: > >> URL: ftp://ftp.openldap.org/incoming/ > >> Submission from: (NULL) (24.126.120.178) > >> Submitted by: hyc > >> > >> > >> An ACL of the form > >> access to dn.subtree="ou=groups,dc=example,dc=com" attr=member by * > >> selfwrite > >> > >> is intended to only allow users to add/delete their own DN to the target > >> attribute. Currently it allows any DNs to be modified. > > The selfwrite mode is still broken for sets. > access to <foo> by set=<bar> selfwrite > gives full write access. Hm, I did some more checks. The following cases don't work as well access to <foo> by group=<bar> selfwrite and access to <foo> by peername=<bar> selfwrite both give full write access. To me it seems to be broken for almost every "who" clause apart "dn". -- Ralf
On Tuesday 27 June 2006 11:43, rhafer@suse.de wrote: > > The selfwrite mode is still broken for sets. > > access to <foo> by set=<bar> selfwrite > > gives full write access. > > Hm, I did some more checks. The following cases don't work as well > > access to <foo> by group=<bar> selfwrite > > and > > access to <foo> by peername=<bar> selfwrite > > both give full write access. To me it seems to be broken for almost every > "who" clause apart "dn". I have just commited another set of changes in acl.c to HEAD. The orignial fix did the "selfwrite" check only if there was a "dn" or "realdn" pattern in the <who>. Now that check is done regardless of what other components are present in <who>. Please review. -- Ralf
On Tuesday 27 June 2006 15:35, rhafer@suse.de wrote: > On Tuesday 27 June 2006 11:43, rhafer@suse.de wrote: > > > The selfwrite mode is still broken for sets. > > > access to <foo> by set=<bar> selfwrite > > > gives full write access. > > > > Hm, I did some more checks. The following cases don't work as well > > > > access to <foo> by group=<bar> selfwrite > > > > and > > > > access to <foo> by peername=<bar> selfwrite > > > > both give full write access. To me it seems to be broken for almost every > > "who" clause apart "dn". > > I have just commited another set of changes in acl.c to HEAD. The orignial > fix did the "selfwrite" check only if there was a "dn" or "realdn" pattern > in the <who>. Now that check is done regardless of what other components > are present in <who>. > > Please review. Btw, test006-acls currently fails in head. The failing test tries to modify a "uniquemember" Attribute with selfwrite privileges. "uniqueMember" however does not have DN syntax but is "name an optional uid". What would be the correct fix or isn't this a bug at all? -- Ralf
rhafer@suse.de wrote: > On Tuesday 27 June 2006 15:35, rhafer@suse.de wrote: >> On Tuesday 27 June 2006 11:43, rhafer@suse.de wrote: >>>> The selfwrite mode is still broken for sets. >>>> access to <foo> by set=<bar> selfwrite >>>> gives full write access. >>> Hm, I did some more checks. The following cases don't work as well >>> >>> access to <foo> by group=<bar> selfwrite >>> >>> and >>> >>> access to <foo> by peername=<bar> selfwrite >>> >>> both give full write access. To me it seems to be broken for almost every >>> "who" clause apart "dn". >> I have just commited another set of changes in acl.c to HEAD. The orignial >> fix did the "selfwrite" check only if there was a "dn" or "realdn" pattern >> in the <who>. Now that check is done regardless of what other components >> are present in <who>. >> >> Please review. > > Btw, test006-acls currently fails in head. The failing test tries to modify a > "uniquemember" Attribute with selfwrite privileges. "uniqueMember" however > does not have DN syntax but is "name an optional uid". What would be the > correct fix or isn't this a bug at all? > Oops. I forgot you'd already noted this, please ignore my other email. At the moment I feel too lazy to worry about this for this syntax, there's no legitimate use for it in LDAP. There's hardly any use for it in X.500 really, the "uid" part is so awkward... So at the moment I don't consider that a bug. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
hyc@highlandsun.com wrote: > rhafer@suse.de wrote: >>> Please review. >> Btw, test006-acls currently fails in head. The failing test tries to modify a >> "uniquemember" Attribute with selfwrite privileges. "uniqueMember" however >> does not have DN syntax but is "name an optional uid". What would be the >> correct fix or isn't this a bug at all? >> > Oops. I forgot you'd already noted this, please ignore my other email. > > At the moment I feel too lazy to worry about this for this syntax, > there's no legitimate use for it in LDAP. There's hardly any use for it > in X.500 really, the "uid" part is so awkward... So at the moment I > don't consider that a bug. > Hm, I take that back. Currently we check for the NAMEUID_SYNTAX when parsing a dnattr ACL, so there's obviously an expectation that this should be handled as a DN. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
changed notes
changed notes changed state Test to Closed
moved from Software Bugs to Archive.Software Bugs
fixed in HEAD/re24/2.3.25