Bug 860772 - Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rich Megginson
Sankar Ramalingam
: SecurityTracking
Depends On:
Blocks: CVE-2012-4450
  Show dependency treegraph
Reported: 2012-09-26 12:45 EDT by Noriko Hosoi
Modified: 2013-06-24 06:49 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When modrdn operation was executed, only newrdn change was passed to the acl plugin. Also, the change was used only for the acl search, but not for the acl target in the items in the acl cache. Consequence: Once modrdn is operated, acl assigned to the entry was temporarily disabled until the server is restarted. Fix: The newsuperior update is also passed to the acl plugin. And the modrdn updates are applied to the acl target in the acl cache. Result: Acl is not affected by the modrdn operation.
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 03:20:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Noriko Hosoi 2012-09-26 12:45:54 EDT
This bug is created as a clone of upstream ticket:


/* This function is now fully executed for internal and replicated ops. */
plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )

    /* newrdn: "change" is normalized but not case-ignored */
    /* The acl plugin expects normalized newrdn, but no need to be case-
     * ignored. */
    (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );

Bug description:
The change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl.

There may be other places in the code where there is an implicit assumption that modrdn with new superior is not supported.
Comment 1 Noriko Hosoi 2012-09-26 13:09:19 EDT
Cherry picked 5beb93d42efb807838c09c5fab898876876f8d09.

Pushed to external 389-ds-base-1.2.11.
$ git push origin 389-ds-base-1.2.11-ext:389-ds-base-1.2.11
Counting objects: 25, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 2.55 KiB, done.
Total 13 (delta 11), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   cf42a2f..7399cbd  389-ds-base-1.2.11-ext -> 389-ds-base-1.2.11
Comment 3 Sankar Ramalingam 2012-09-27 12:22:29 EDT
QA acked.
Comment 5 Milan Kubík 2013-01-29 08:06:37 EST
acl modrdn suite:

modrdn Test trac340: test for renaming target entry
Create a test user entry
adding new entry uid=trac340,o=ace industry,c=us

Create a new ou entry with an aci
adding new entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 has the access
dn: ou=OU0,o=ace industry,c=us
OK: uid=trac340 has the access.
Rename ou=OU0 to ou=OU1
modifying RDN of entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 still has the access
dn: ou=OU1,o=ace industry,c=us
OK: uid=trac340 has the access.
Create another ou=OU2
adding new entry ou=OU2,o=ace industry,c=us

Move ou=OU1 under ou=OU2
modifying RDN of entry ou=OU1,o=ace industry,c=us and/or moving it beneath a new parent

Make sure uid=trac340 still has the access
dn: ou=OU1,ou=OU2,o=ace industry,c=us
OK: uid=trac340 has the access.
Clean up the test entries
ldap_delete: No such object
TestCase [trac340] result-> [PASS]

$ rpm -qa 389-ds-base

Comment 6 errata-xmlrpc 2013-02-21 03:20:58 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Comment 7 Milan Kubík 2013-06-24 06:49:36 EDT
Covered in acl modrdn suite

Note You need to log in before you can comment on or make changes to this bug.