Bug 214682 - DNS based ACIs not working correctly
DNS based ACIs not working correctly
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Security - Access Control (ACL) (Show other bugs)
1.0.2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nathan Kinder
Viktor Ashirov
:
Depends On:
Blocks: 152373 240316
  Show dependency treegraph
 
Reported: 2006-11-08 15:56 EST by Nathan Kinder
Modified: 2015-12-07 12:07 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-12-07 12:07:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
CVS Diffs (859 bytes, patch)
2006-11-08 15:56 EST, Nathan Kinder
no flags Details | Diff

  None (edit)
Description Nathan Kinder 2006-11-08 15:56:31 EST
DNS based ACIs are not working correctly.  It turns out that switching most of
our string functions to safer NSPR string functions that ensure null termination
caused this regresstion.

The first time the server evaluates a DNS based ACI, we generate a hashtable
from any domain/hostname that is specified in all ACIs.  The problem is that we
aren't using PL_strncpyz properly, so the last character in the list doesn't get
copied.  The fix is to add one to the "max" argument so the entire string gets
copied.

To reproduce this issue, add an ACI similar to the following:

(target ="ldap:///dc=dstest,dc=com")(targetattr=*)(version 3.0; aci "DNS
 aci"; allow(all) userdn = "ldap:///uid=foo,dc=dstest,dc=com"and dns
  = "*" ;)

If you then attempt to modify the "dc=dstest,dc=com" entry, the operation will
be rejected.  With the fix, the operation will complete successfully.
Comment 1 Nathan Kinder 2006-11-08 15:56:31 EST
Created attachment 140714 [details]
CVS Diffs
Comment 3 Noriko Hosoi 2006-11-08 16:17:49 EST
Looks good!

This is a snippet of the comments of PL_strncpyz.  So, this is what was
happening... 

 * PL_strncpyz
 * NOTE: If you call this with a source "abcdefg" and a max of 5, the
 * destination will end up with "abcd\0" (i.e., its strlen length will be 4)!
 *
Comment 4 Nathan Kinder 2006-11-08 16:24:33 EST
Thanks for the review Noriko!  The fix is now checked into ldapserver (HEAD).

Checking in lasdns.cpp;
/cvs/dirsec/ldapserver/lib/libaccess/lasdns.cpp,v  <--  lasdns.cpp
new revision: 1.7; previous revision: 1.6
done
Comment 5 Michael Gregg 2007-12-14 18:27:15 EST
I was able to modify a db with the following aci:

(targetattr = "*") (version 3.0;acl "<Unnamed ACI>";allow (all)(userdn =
"ldap:///anyone" and dns = "*");)

Verified aginst:
1197673782 redhat-ds-base-8.0.0-11.el5dsrv Fri Dec 14 2007 
1197673784 redhat-ds-admin-8.0.0-1.15.el5dsrv Fri Dec 14 2007 
1197673785 redhat-ds-console-8.0.0-8.el5dsrv Fri Dec 14 2007 
1197673786 redhat-admin-console-8.0.0-9.el5dsrv Fri Dec 14 2007 

Note You need to log in before you can comment on or make changes to this bug.