Bug 1909675

Summary: RHDS11: “write” permission of ACI changes ns-slapd’s behavior on search operation
Product: Red Hat Directory Server Reporter: kyoneyama <kyoneyam>
Component: 389-ds-baseAssignee: mreynolds
Status: CLOSED ERRATA QA Contact: RHDS QE <ds-qe-bugs>
Severity: high Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 11.1CC: gkimetto, ldap-maint, mreynolds, msauton, sgouvern, tbordaz, tkubota, tomichi, vashirov
Target Milestone: DS11.1   
Target Release: dirsrv-11.1   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: redhat-ds-11-8020020210210175100-51c5a973 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1921856 1924130 1925537 (view as bug list) Environment:
Last Closed: 2021-02-16 18:30:27 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1921856, 1924130, 1925452, 1925537, 1925540    

Description kyoneyama 2020-12-21 11:32:03 UTC 
Description of problem:

The search results are different between older version of RHDS10 and RHDS11 when non-existent entry is specified as BaseDN like

  (RHDS10)
  $ ldapsearch -LLL-x -D "uid=testuser1,ou=People,dc=ad,dc=example,dc=com" -W -b "ou=dummy,dc=ad,dc=example,dc=com"
  $ echo $?
  32

  (RHDS11)
  $ ldapsearch -LLL-x -D "uid=testuser1,ou=People,dc=ad,dc=example,dc=com" -W -b "ou=dummy,dc=ad,dc=example,dc=com"
  $ echo $?
  0

  
The customer is requesting to provide a way to get RDHS11 to work in the old way of RHDS10 (i.e. return 32(NO_SUCH_OBJECT) instead of 0(SUCCESS)).
I have found the workaround that adds the follwoing aci attritbute to the root suffix.

  aci: (targetattr="*")(version 3.0; acl "Read/Write permission for all users"; allow (read,write) userdn="ldap:///all";)

However, it won't work properly if specifying read and search.

  aci: (targetattr="*")(version 3.0; acl "Read/Search permission for all users"; allow (read,search) userdn="ldap:///all";)


Why does “write” permission change ns-slapd’s behavior on search operations?
Is this dangerous from a security point of view?


Version-Release number of selected component (if applicable):

- Red Hat Enterprise Linux 8
- RHDS11
- 389-ds-base-1.4.3.13-1.module+el8dsrv+8334+69a46a2e.x86_64


How reproducible:

  Always


Steps to Reproduce:

(Test for read and write permissions)
1. Bind as non-root DN and search an entry under non-existing subtree(i.e. ou=dummy) with ldapsearch.

  $ ldapsearch -LLL -x -D "uid=testuser1,ou=People,dc=ad,dc=example,dc=com" -W -b "ou=dummy,dc=ad,dc=example,dc=com"
  $ echo $?

2. To grant all users ad admin, add an ACI attribute to root suffix(i.e. dc=ad,dc=example,dc=com)

  $ ldapmodify -x -D "cn=Directory Manager" -W -f add-aci.ldif

  -- add-aci.ldif --
  dn: dc=ad,dc=example,dc=com
  changetype: modify
  add: aci
  aci: (targetattr="*")(version 3.0; acl "Read/Write permission for all users” ; allow (read,write) userdn="ldap:///all";)

3. Be sure ldapsearch's return code.

  $ ldapsearch -LLL -x -D "uid=testuser1,ou=People,dc=ad,dc=example,dc=com" -W -b "ou=dummy,dc=ad,dc=example,dc=com"
  $ echo $?


(Test for read and search permissions)
1. Delete the mention-above ACI

  $ sed "s/add:/delete:/g" add-aci.ldif | ldapmodify -x -D "cn=Directory Manager" -W 

2. Add another ACI attribute to root suffix

  $ ldapmodify -x -D "cn=Directory Manager" -W -f add-aci2.ldif

  -- add-aci2.ldif --
  dn: dc=ad,dc=example,dc=com
  changetype: modify
  add: aci
  aci: (targetattr="*")(version 3.0; acl "Read/Search permission for all users” ; allow (read,search) userdn="ldap:///all";)

3. Be sure ldapsearch's return code

  $ ldapsearch -LLL -x -D "uid=testuser1,ou=People,dc=ad,dc=example,dc=com" -W -b "ou=dummy,dc=ad,dc=example,dc=com"
  $ echo $?


Actual results:

RHDS11 returns 0 if binding as non-root DN.

  $ ldapsearch -LLL -x -D "uid=testuser1,ou=People,dc=ad,dc=example,dc=com" -W -b "ou=dummy,dc=ad,dc=example,dc=com"
  $ echo $?
  0


Expected results:

RHDS11 returns 32 if binding as non-root DN.

  $ ldapsearch -LLL -x -D "uid=testuser1,ou=People,dc=ad,dc=example,dc=com" -W -b "ou=dummy,dc=ad,dc=example,dc=com"
  $ echo $?
  32


Additional info:

### Analysis

The behavior of RHDS10 and 11 has changed after fixing the security problem.

  https://bugzilla.redhat.com/show_bug.cgi?id=1347760
  https://access.redhat.com/security/cve/CVE-2016-4992


I found the following lines that determine if the user and ACL match in acl__resource_match_aci().
And the comment indicates that it requires `write` for modrdn operation.


  -- ldap/servers/plugins/acl/acl.c in 389-ds-base --
  static int
  acl__resource_match_aci(Acl_PBlock *aclpb, aci_t *aci, int skip_attrEval, int *a_matched)
  {
  ...
 
      if (!attr_matched_in_targetattrfilters) { # case of "targetattr=XXX"
 
          /* match target attr */
          if ((c_attrEval) &&
              (aci->aci_type & ACI_TARGET_ATTR)) {
 
  ...
 
              } else if (aci_right & SLAPI_ACL_WRITE &&                            ***
                         (aci->aci_type & ACI_TARGET_ATTR) &&                      ***
                         !(c_attrEval) &&                                          ***
                         (aci->aci_type & ACI_HAS_ALLOW_RULE)) {
                  /* We need to handle modrdn operation.  Modrdn doesn't
              ** change any attrs but changes the RDN and so (attr=NULL).
              ** Here we found an acl which has a targetattr but
              ** the resource doesn't need one. In that case, we should
              ** consider this acl.
              ** the opposite is true if it is a deny rule, only a deny without
              ** any targetattr should deny modrdn
              ** default: matches = ACL_TRUE;
              */


Why does 389-ds need `write` to match user to the ACI in the case of targetattr rule?
Comment 2 mreynolds 2021-01-13 14:44:24 UTC 
Investigating issue...
Comment 3 mreynolds 2021-01-13 18:59:24 UTC 
Upstream ticket:

https://github.com/389ds/389-ds-base/issues/4542
Comment 4 mreynolds 2021-01-26 16:20:15 UTC 
Fixed upstream.
Comment 11 sgouvern 2021-02-08 15:47:07 UTC 
With 389-ds-base-1.4.2.12-4.module+el8dsrv+9724+324d713e.x86_64

======================================================== test session starts =======================================================
platform linux -- Python 3.6.8, pytest-6.2.2, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3.6
cachedir: .pytest_cache
metadata: {'Python': '3.6.8', 'Platform': 'Linux-4.18.0-193.el8.x86_64-x86_64-with-redhat-8.2-Ootpa', 'Packages': {'pytest': '6.2.2', 'py': '1.10.0', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '1.11.0', 'html': '3.1.1', 'libfaketime': '0.1.2'}}
389-ds-base: 1.4.2.12-4.module+el8dsrv+9724+324d713e
nss: 3.44.0-15.el8
nspr: 4.21.0-2.el8_0
openldap: 2.4.46-11.el8
cyrus-sasl: 2.1.27-1.el8
FIPS: disabled
rootdir: /mnt/tests/rhds/tests/upstream/ds/dirsrvtests, configfile: pytest.ini
plugins: metadata-1.11.0, html-3.1.1, libfaketime-0.1.2
collected 1 item                                                                                                                                                       

dirsrvtests/tests/suites/acl/repeated_ldap_add_test.py::test_repeated_ldap_add DEBUG:lib389:Allocate <class 'lib389.DirSrv'> with None


INFO:dirsrvtests.tests.suites.acl.repeated_ldap_add_test:SUCCESS
PASSEDDEBUG:lib389:systemd status -> True
DEBUG:lib389:systemd status -> True
===================================== 1 passed, 47 warnings in 990.56s (0:16:30) ====================================================



Marking as Verified
Comment 19 errata-xmlrpc 2021-02-16 18:30:27 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: redhat-ds:11 security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:0599