Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 214682

Summary: DNS based ACIs not working correctly
Product: [Retired] 389 Reporter: Nathan Kinder <nkinder>
Component: Security - Access Control (ACL)Assignee: Nathan Kinder <nkinder>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: medium    
Version: 1.0.2CC: nhosoi, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 17:07:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 152373, 240316    
Attachments:
Description Flags
CVS Diffs none

Description Nathan Kinder 2006-11-08 20:56:31 UTC 
DNS based ACIs are not working correctly.  It turns out that switching most of
our string functions to safer NSPR string functions that ensure null termination
caused this regresstion.

The first time the server evaluates a DNS based ACI, we generate a hashtable
from any domain/hostname that is specified in all ACIs.  The problem is that we
aren't using PL_strncpyz properly, so the last character in the list doesn't get
copied.  The fix is to add one to the "max" argument so the entire string gets
copied.

To reproduce this issue, add an ACI similar to the following:

(target ="ldap:///dc=dstest,dc=com")(targetattr=*)(version 3.0; aci "DNS
 aci"; allow(all) userdn = "ldap:///uid=foo,dc=dstest,dc=com"and dns
  = "*" ;)

If you then attempt to modify the "dc=dstest,dc=com" entry, the operation will
be rejected.  With the fix, the operation will complete successfully.
Comment 1 Nathan Kinder 2006-11-08 20:56:31 UTC 
Created attachment 140714 [details]
CVS Diffs
Comment 3 Noriko Hosoi 2006-11-08 21:17:49 UTC 
Looks good!

This is a snippet of the comments of PL_strncpyz.  So, this is what was
happening... 

 * PL_strncpyz
 * NOTE: If you call this with a source "abcdefg" and a max of 5, the
 * destination will end up with "abcd\0" (i.e., its strlen length will be 4)!
 *
Comment 4 Nathan Kinder 2006-11-08 21:24:33 UTC 
Thanks for the review Noriko!  The fix is now checked into ldapserver (HEAD).

Checking in lasdns.cpp;
/cvs/dirsec/ldapserver/lib/libaccess/lasdns.cpp,v  <--  lasdns.cpp
new revision: 1.7; previous revision: 1.6
done
Comment 5 Michael Gregg 2007-12-14 23:27:15 UTC 
I was able to modify a db with the following aci:

(targetattr = "*") (version 3.0;acl "<Unnamed ACI>";allow (all)(userdn =
"ldap:///anyone" and dns = "*");)

Verified aginst:
1197673782 redhat-ds-base-8.0.0-11.el5dsrv Fri Dec 14 2007 
1197673784 redhat-ds-admin-8.0.0-1.15.el5dsrv Fri Dec 14 2007 
1197673785 redhat-ds-console-8.0.0-8.el5dsrv Fri Dec 14 2007 
1197673786 redhat-admin-console-8.0.0-9.el5dsrv Fri Dec 14 2007