Bug 190724 - ACIs need to be evaluated before password syntax is checked
Summary: ACIs need to be evaluated before password syntax is checked
Alias: None
Product: 389
Classification: Retired
Component: Security - Password Policy   
(Show other bugs)
Version: 1.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nathan Kinder
QA Contact: Viktor Ashirov
Depends On:
Blocks: 152373 fds103trackingbug 240316
TreeView+ depends on / blocked
Reported: 2006-05-04 18:34 UTC by Nathan Kinder
Modified: 2015-12-07 16:49 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-07 16:49:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVS Diffs (5.19 KB, patch)
2006-05-04 18:34 UTC, Nathan Kinder
no flags Details | Diff
Revised Diffs (4.87 KB, patch)
2006-05-05 15:26 UTC, Nathan Kinder
no flags Details | Diff
Additional diff to fix HP-UX PA compilation error (1001 bytes, patch)
2006-05-05 18:33 UTC, Nathan Kinder
no flags Details | Diff

Description Nathan Kinder 2006-05-04 18:34:25 UTC
When password syntax checking is enabled, we check the password syntax before
evaluating ACIs.  This means that an anonymous user can attempt to change a
user's password and they will receive an error about the syntax being invalid
rather than an access denied message.

This is keeping us from returning more detailed error messages (password too
short, not enough digits, etc.) when the password syntax is incorrect since we
don't want to give away policy information to an un-authenticated user.

The attached changes cause the ACIs to be checked for write priviledge to the
userPassword attribute before we check the password syntax.

Comment 1 Nathan Kinder 2006-05-04 18:34:26 UTC
Created attachment 128620 [details]
CVS Diffs

Comment 2 Nathan Kinder 2006-05-05 15:26:50 UTC
Created attachment 128660 [details]
Revised Diffs

In response to Rich's review of the fix, a few things have been changed. 
Instead of searching for the target entry to check the ACIs in modify.c, I now
simply create a new Slapi_Entry that only has the dn set.  This is all that is
needed when calling slapi_acl_check_mods(), and it should have better
performance than fetching the real entry.  I also fixed a confusing piece of
code where an array of LDAPMod elements is created from the single userPassword
LDAPMod in modify.c.

Comment 3 Nathan Kinder 2006-05-05 16:06:14 UTC
Checked into ldapserver (HEAD).  Reviewed by Rich (thanks!).

Checking in add.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v  <--  add.c
new revision: 1.7; previous revision: 1.6
Checking in modify.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v  <--  modify.c
new revision: 1.10; previous revision: 1.9

Comment 4 Nathan Kinder 2006-05-05 18:33:06 UTC
Created attachment 128671 [details]
Additional diff to fix HP-UX PA compilation error

The previos code fails to build on HP-UX PA because it doesn't like the way we
initialize the LDAPMod array in modify.c.  Strangely, it works fine on HP-UX
IPF.  This change shoudl fix the build on PA.

Comment 5 Nathan Kinder 2006-05-05 18:39:06 UTC
Checked in additional fix for HP-UX PA compilation error.

Checking in modify.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/modify.c,v  <--  modify.c
new revision: 1.11; previous revision: 1.10

Comment 6 Yi Zhang 2007-12-03 18:51:38 UTC
Verification test: PASS
Test machine: cypher.dsdev.sjc.redhat.com (REHL 64bit)

Test steps:
1. setup DS on cypher
2. access "cn=config" as anonalymous (ensure anonalymous access success)
3. change password for user "cn=directory manager" as anonalysis 
Except result  :  access denial
Actual result  : access denied , test passed

acutal test output:
[yzhang@cypher en]$ /usr/lib64/mozldap/ldapsearch -h cypher -p 389  -s sub -b
"cn=config" objectclass=* "*"
version: 1
dn: cn=SNMP,cn=config
objectClass: top
objectClass: nsSNMP
cn: SNMP
nsSNMPEnabled: on

[yzhang@cypher tmp]$ /usr/lib64/mozldap/ldapmodify -h cypher -p 389 -a -f
modifying entry cn=Directory Administrators, dc=dsdev, dc=sjc, dc=redhat, dc=com
ldap_modify: Insufficient access
ldap_modify: additional info: Insufficient 'write' privilege to the 'password'
attribute of entry 'cn=directory administrators,dc=dsdev,dc=sjc,dc=redhat,dc=com'.

Data file used
[yzhang@cypher tmp]$ cat < changepw.ldif 
dn: cn=Directory Administrators, dc=dsdev, dc=sjc, dc=redhat, dc=com
changetype: modify
replace: password
password: newpassword


Note You need to log in before you can comment on or make changes to this bug.