Bug 860772 – Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 860772 - Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl

Summary:	Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	389-ds-base (Show other bugs)
Sub Component:
Version:	6.4
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Rich Megginson
QA Contact:	Sankar Ramalingam
Docs Contact:

URL:
Whiteboard:
Keywords:	SecurityTracking

Depends On:
Blocks:	CVE-2012-4450
	Show dependency tree / graph

Reported:	2012-09-26 12:45 EDT by Noriko Hosoi
Modified:	2013-06-24 06:49 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	Cause: When modrdn operation was executed, only newrdn change was passed to the acl plugin. Also, the change was used only for the acl search, but not for the acl target in the items in the acl cache. Consequence: Once modrdn is operated, acl assigned to the entry was temporarily disabled until the server is restarted. Fix: The newsuperior update is also passed to the acl plugin. And the modrdn updates are applied to the acl target in the acl cache. Result: Acl is not affected by the modrdn operation.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2013-02-21 03:20:58 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2013:0503	normal	SHIPPED_LIVE	Moderate: 389-ds-base security, bug fix, and enhancement update	2013-02-21 03:18:44 EST

Groups: None (edit)

Description Noriko Hosoi 2012-09-26 12:45:54 EDT

This bug is created as a clone of upstream ticket:
https://fedorahosted.org/389/ticket/340

plugin_acl.c

/* This function is now fully executed for internal and replicated ops. */
int
plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )

  case SLAPI_OPERATION_MODRDN:
    /* newrdn: "change" is normalized but not case-ignored */
    /* The acl plugin expects normalized newrdn, but no need to be case-
     * ignored. */
    (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );
    break;

Bug description:
The change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl.

There may be other places in the code where there is an implicit assumption that modrdn with new superior is not supported.

Comment 1 Noriko Hosoi 2012-09-26 13:09:19 EDT

Cherry picked 5beb93d42efb807838c09c5fab898876876f8d09.

Pushed to external 389-ds-base-1.2.11.
$ git push origin 389-ds-base-1.2.11-ext:389-ds-base-1.2.11
Counting objects: 25, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 2.55 KiB, done.
Total 13 (delta 11), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   cf42a2f..7399cbd  389-ds-base-1.2.11-ext -> 389-ds-base-1.2.11

Comment 3 Sankar Ramalingam 2012-09-27 12:22:29 EDT

QA acked.

Comment 5 Milan Kubík 2013-01-29 08:06:37 EST

acl modrdn suite:

modrdn Test trac340: test for renaming target entry
Create a test user entry
adding new entry uid=trac340,o=ace industry,c=us

Create a new ou entry with an aci
adding new entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 has the access
dn: ou=OU0,o=ace industry,c=us
OK: uid=trac340 has the access.
Rename ou=OU0 to ou=OU1
modifying RDN of entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 still has the access
dn: ou=OU1,o=ace industry,c=us
OK: uid=trac340 has the access.
Create another ou=OU2
adding new entry ou=OU2,o=ace industry,c=us

Move ou=OU1 under ou=OU2
modifying RDN of entry ou=OU1,o=ace industry,c=us and/or moving it beneath a new parent


Make sure uid=trac340 still has the access
dn: ou=OU1,ou=OU2,o=ace industry,c=us
OK: uid=trac340 has the access.
Clean up the test entries
ldap_delete: No such object
TestCase [trac340] result-> [PASS]

$ rpm -qa 389-ds-base
389-ds-base-1.2.11.15-11

Verified.

Comment 6 errata-xmlrpc 2013-02-21 03:20:58 EST

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHSA-2013-0503.html

Comment 7 Milan Kubík 2013-06-24 06:49:36 EDT

Covered in acl modrdn suite

Note You need to log in before you can comment on or make changes to this bug.