Bug 214463 - Add permission not handled correctly with userPassword attribute
Add permission not handled correctly with userPassword attribute
Product: 389
Classification: Community
Component: Security - Access Control (ACL) (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Viktor Ashirov
Depends On:
Blocks: 152373 240316
  Show dependency treegraph
Reported: 2006-11-07 14:05 EST by Nathan Kinder
Modified: 2015-12-07 12:00 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-07 12:00:51 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
CVS Diffs (1.26 KB, patch)
2006-11-07 14:05 EST, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Nathan Kinder 2006-11-07 14:05:16 EST
The "add" access right is not dealt with properly for the userPassword
attribute.  If you add the following ACI, anyone should be able to add a new entry:

(targetattr ="*")(version 3.0; acl "foo"; allow (add) (userdn = "ldap:///anyone");)

You will find that you get an error 50 when you attempt to add an entry
containing a userPassword attribute with the above ACI.  This is due to a
permissions check that occurs during an add operation to see if access to
userPassword is allowed before doing any password syntax checking.  The problem
is that it checks for the SLAPI_ACL_WRITE privilege instead of the SLAPI_ACL_ADD
privilege.  The SLAPI_ACL_WRITE privilege checks if the user is allowed to
perform a modify operation, not an add.

The attached diff fixes this issue.
Comment 1 Nathan Kinder 2006-11-07 14:05:16 EST
Created attachment 140582 [details]
CVS Diffs
Comment 3 Nathan Kinder 2006-11-07 15:01:13 EST
Checked into ldapserver (HEAD).  Thanks for the review Rich!

Checking in add.c;
/cvs/dirsec/ldapserver/ldap/servers/slapd/add.c,v  <--  add.c
new revision: 1.9; previous revision: 1.8

Note You need to log in before you can comment on or make changes to this bug.