[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#3472) return code should be 32 when no access to object



At 05:33 AM 1/11/2005, Pierangelo Masarati wrote:
>Kurt D. Zeilenga wrote:
>
>>However, "disclose on error" (disclose) and
>>"don't disclose on error" (none) can be implemented now in
>>backends.
>To clarify:

I'm not sure your clarification helps.

First, with this new functionality, nothing should be changed
outside of error handling.  When an error does occur, then one
has to determine, for each piece of information to be returned,
whether the user is authorized to have that information
disclosed to it.

If the information pertains to an attribute type, then we
need to look at "disclose" on the attribute type.   If
the information pertains to the name of some entry (the
target or nearest superior), then we need to look at
"disclose" on that entry.

Kurt


>noSuchObject should be returned whenever (and whatever) access to "entry" is required if "disclose" is not granted.  Which means:
>- when adding an entry, if no disclose is granted to the entry being added;
>- when deleting an entry, if no disclose is granted to the entry being deleted;
>- when renaming an entry, if no disclose is granted to the entry being renamed;
>- when searching, but how?  If the scope is "base", if no disclose is granted to the searchBase; I guess it would be appropriate to always return noSuchObject if no disclose is avalable for the searchBase, otherwise an attacker could circumvent the check by searching for onelevel or subtree while checkig for the existence of the baseObject;
>- when accessing a referral, if no disclose is granted to the entry containing the referralObject.
>
>I'd also send noSuchObject if disclose is not granted to the "children" attribute of parents whenever required (i.e. add, delete, rename).
>
>Another comment: should "disclose" be also granted for each operation to succeed, or should it be checked only if the required access is not available, to decide what error to return?  In case, I vote for the latter.
>
>Note that since access to the entry pseudo-attribute is already checked, the extra check for disclose can be easily implemented by using access_allowed_mask(), which also returns the complete access mask and can be used to check if disclose is granted in case the requested privilege is not granted.
>
>p.
>
>
>
>   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497