[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Enforcing attribute ACL on add operations

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: Enforcing attribute ACL on add operations
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 03 Oct 2008 16:10:47 +0200
Cc: openldap-devel@openldap.org
In-reply-to: <1io8ppc.fst51g15uf719M%manu@netbsd.org>
References: <1io8ppc.fst51g15uf719M%manu@netbsd.org>
User-agent: Thunderbird 2.0.0.16 (X11/20080724)

Emmanuel Dreyfus wrote:

Pierangelo Masarati <ando@sys-net.it> wrote:
In any case, I note that fixing this issue broke test006 (at least).
I think this is going to break many setups that had a security hole but nobody was aware of it.

I mean: test006 is broken now, we can no longer make test. You should check why the test is broken and try to fix it :) Probably, according to the old access rule, a user with "add" permission for entries is adding an entry without having "add" permission on all the attributes.

A database option can make everyone happy, but is there anyone
complaining?

I'm not particularly in favor of a config option as soon as we're happy with the fix.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: Enforcing attribute ACL on add operations
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: Enforcing attribute ACL on add operations
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: Fwd: RE24 testing
Next by Date: Re: Enforcing attribute ACL on add operations
Index(es):
- Chronological
- Thread