Re: ACL for PGP [Virus checked (@MLP)] [Virus checked]

[Peter Marschall <peter.marschall@mayn.de>]

Hi,

the interpretation is quite simple.
It goes from top to bottom and stops at the first match

On Wednesday 09 January 2002 13:28, you wrote:
> access to    dn=".*,o=PGP Keys,dc=atrete,dc=ch" by * write
Anybody has write access to anything below o=PGP Keys,dc=atrete,dc=ch

> access to dn=".*,dc=atrete,dc=ch" by * write
Anybody has write access to anything below dc=atrete,dc=ch

> access to dn=".*,dc=ch" by * read
Anybody has read access to anything below dc=atrete,dc=ch
But remember: anything below dc=atrete,dc=ch is writable
because of the "stop at first match" rule.

> access to * by * write
Anybody has write access to anything else

IMHO the first line is not necessary, since it should be covered
by the second line.

Conclusion(s):
1 A very big part of your directory is writable by anybody
  (including anonymous).
  [This is very funny if you use your directory to publish
  PGP keys, since anybody can publish faked PGP keys.]
2 If you only have entries below dc=atrete,dc=ch in your directory,
  the only entry that is read-only is the entry dc=atrete,dc=ch.
3 If you have entries below dc=ch in your directory that are not below
  cd=atrete,dc=ch, they are all read-only


Yours
Peter

-- 
Peter Marschall     |   eMail: peter.marschall@mayn.de
Scheffelstraße 15   |          peter.marschall@is-energy.de
97072 Würzburg      |   Tel:   0931/14721
PGP:  D7 FF 20 FE E6 6B 31 74  D1 10 88 E0 3C FE 28 35