Bug 190724 - ACIs need to be evaluated before password syntax is checked
ACIs need to be evaluated before password syntax is checked
Product: 389
Classification: Community
Component: Security - Password Policy (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Viktor Ashirov
Depends On:
Blocks: 152373 fds103trackingbug 240316
  Show dependency treegraph
Reported: 2006-05-04 14:34 EDT by Nathan Kinder
Modified: 2015-12-07 11:49 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-07 11:49:18 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVS Diffs (5.19 KB, patch)
2006-05-04 14:34 EDT, Nathan Kinder
no flags Details | Diff
Revised Diffs (4.87 KB, patch)
2006-05-05 11:26 EDT, Nathan Kinder
no flags Details | Diff
Additional diff to fix HP-UX PA compilation error (1001 bytes, patch)
2006-05-05 14:33 EDT, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Nathan Kinder 2006-05-04 14:34:25 EDT
When password syntax checking is enabled, we check the password syntax before
evaluating ACIs.  This means that an anonymous user can attempt to change a
user's password and they will receive an error about the syntax being invalid
rather than an access denied message.

This is keeping us from returning more detailed error messages (password too
short, not enough digits, etc.) when the password syntax is incorrect since we
don't want to give away policy information to an un-authenticated user.

The attached changes cause the ACIs to be checked for write priviledge to the
userPassword attribute before we check the password syntax.
Comment 1 Nathan Kinder 2006-05-04 14:34:26 EDT
Created attachment 128620 [details]
CVS Diffs
Comment 2 Nathan Kinder 2006-05-05 11:26:50 EDT
Created attachment 128660 [details]
Revised Diffs

In response to Rich's review of the fix, a few things have been changed. 
Instead of searching for the target entry to check the ACIs in modify.c, I now
simply create a new Slapi_Entry that only has the dn set.  This is all that is
needed when calling slapi_acl_check_mods(), and it should have better
performance than fetching the real entry.  I also fixed a confusing piece of
code where an array of LDAPMod elements is created from the single userPassword
LDAPMod in modify.c.
Comment 3 Nathan Kinder 2006-05-05 12:06:14 EDT
Checked into ldapserver (HEAD).  Reviewed by Rich (thanks!).

Checking in add.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v  <--  add.c
new revision: 1.7; previous revision: 1.6
Checking in modify.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v  <--  modify.c
new revision: 1.10; previous revision: 1.9
Comment 4 Nathan Kinder 2006-05-05 14:33:06 EDT
Created attachment 128671 [details]
Additional diff to fix HP-UX PA compilation error

The previos code fails to build on HP-UX PA because it doesn't like the way we
initialize the LDAPMod array in modify.c.  Strangely, it works fine on HP-UX
IPF.  This change shoudl fix the build on PA.
Comment 5 Nathan Kinder 2006-05-05 14:39:06 EDT
Checked in additional fix for HP-UX PA compilation error.

Checking in modify.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v  <--  modify.c
new revision: 1.11; previous revision: 1.10
Comment 6 Yi Zhang 2007-12-03 13:51:38 EST
Verification test: PASS
Test machine: cypher.dsdev.sjc.redhat.com (REHL 64bit)

Test steps:
1. setup DS on cypher
2. access "cn=config" as anonalymous (ensure anonalymous access success)
3. change password for user "cn=directory manager" as anonalysis 
Except result  :  access denial
Actual result  : access denied , test passed

acutal test output:
[yzhang@cypher en]$ /usr/lib64/mozldap/ldapsearch -h cypher -p 389  -s sub -b
"cn=config" objectclass=* "*"
version: 1
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on

[yzhang@cypher tmp]$ /usr/lib64/mozldap/ldapmodify -h cypher -p 389 -a -f
modifying entry cn=Directory Administrators, dc=dsdev, dc=sjc, dc=redhat, dc=com
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'password'
attribute of entry 'cn=directory administrators,dc=dsdev,dc=sjc,dc=redhat,dc=com'.

Data file used
[yzhang@cypher tmp]$ cat < changepw.ldif 
dn: cn=Directory Administrators, dc=dsdev, dc=sjc, dc=redhat, dc=com
changetype: modify
replace: password
password: newpassword


Note You need to log in before you can comment on or make changes to this bug.