Bug 860772 - Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
Summary: Change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: 389-ds-base
Version: 6.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Rich Megginson
QA Contact: Sankar Ramalingam
Depends On:
Blocks: CVE-2012-4450
TreeView+ depends on / blocked
Reported: 2012-09-26 16:45 UTC by Noriko Hosoi
Modified: 2013-06-24 10:49 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: When modrdn operation was executed, only newrdn change was passed to the acl plugin. Also, the change was used only for the acl search, but not for the acl target in the items in the acl cache. Consequence: Once modrdn is operated, acl assigned to the entry was temporarily disabled until the server is restarted. Fix: The newsuperior update is also passed to the acl plugin. And the modrdn updates are applied to the acl target in the acl cache. Result: Acl is not affected by the modrdn operation.
Clone Of:
Last Closed: 2013-02-21 08:20:58 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:0503 normal SHIPPED_LIVE Moderate: 389-ds-base security, bug fix, and enhancement update 2013-02-21 08:18:44 UTC

Description Noriko Hosoi 2012-09-26 16:45:54 UTC
This bug is created as a clone of upstream ticket:


/* This function is now fully executed for internal and replicated ops. */
plugin_call_acl_mods_update ( Slapi_PBlock *pb, int optype )

    /* newrdn: "change" is normalized but not case-ignored */
    /* The acl plugin expects normalized newrdn, but no need to be case-
     * ignored. */
    (void)slapi_pblock_get( pb, SLAPI_MODRDN_NEWRDN, &change );

Bug description:
The change on SLAPI_MODRDN_NEWSUPERIOR is not evaluated in acl.

There may be other places in the code where there is an implicit assumption that modrdn with new superior is not supported.

Comment 1 Noriko Hosoi 2012-09-26 17:09:19 UTC
Cherry picked 5beb93d42efb807838c09c5fab898876876f8d09.

Pushed to external 389-ds-base-1.2.11.
$ git push origin 389-ds-base-1.2.11-ext:389-ds-base-1.2.11
Counting objects: 25, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (13/13), done.
Writing objects: 100% (13/13), 2.55 KiB, done.
Total 13 (delta 11), reused 0 (delta 0)
To ssh://git.fedorahosted.org/git/389/ds.git
   cf42a2f..7399cbd  389-ds-base-1.2.11-ext -> 389-ds-base-1.2.11

Comment 3 Sankar Ramalingam 2012-09-27 16:22:29 UTC
QA acked.

Comment 5 Milan Kubík 2013-01-29 13:06:37 UTC
acl modrdn suite:

modrdn Test trac340: test for renaming target entry
Create a test user entry
adding new entry uid=trac340,o=ace industry,c=us

Create a new ou entry with an aci
adding new entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 has the access
dn: ou=OU0,o=ace industry,c=us
OK: uid=trac340 has the access.
Rename ou=OU0 to ou=OU1
modifying RDN of entry ou=OU0,o=ace industry,c=us

Make sure uid=trac340 still has the access
dn: ou=OU1,o=ace industry,c=us
OK: uid=trac340 has the access.
Create another ou=OU2
adding new entry ou=OU2,o=ace industry,c=us

Move ou=OU1 under ou=OU2
modifying RDN of entry ou=OU1,o=ace industry,c=us and/or moving it beneath a new parent

Make sure uid=trac340 still has the access
dn: ou=OU1,ou=OU2,o=ace industry,c=us
OK: uid=trac340 has the access.
Clean up the test entries
ldap_delete: No such object
TestCase [trac340] result-> [PASS]

$ rpm -qa 389-ds-base


Comment 6 errata-xmlrpc 2013-02-21 08:20:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Comment 7 Milan Kubík 2013-06-24 10:49:36 UTC
Covered in acl modrdn suite

Note You need to log in before you can comment on or make changes to this bug.