Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access
guilhem@fripost.org wrote:
Full_Name: Guilhem Moulin Version: 2.4.44 OS: Debian GNU/Linux (Stretch) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (109.225.112.70) =20 =20 slapd.conf(5) manpage (in both 2.4.44 and in current =E2=80=94 0f320b3 =
=E2=80=94 master)
mentions that authz-policy's "all" flag requires both source and destin=
ations
authorizations rules to succeed. However if the source rule (the authe=
ntication
identity's "authzTo" attribute) fails but the destination rule (the authorization identity's "authzFrom" attribute) succeeds, then the auth=
orization
is granted, violating the intended semantics and possibly yielding unau=
thorized
access. See the following log excerpt:
Thanks for the report. Looks like this has been present since commit 1137= 27ba. Fixed now in git master
=20 SASL proxy authorize [conn=3D1019]: authcid=3D"authcid" authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet" =3D=3D>slap_sasl_authorized: can uid=3Dauthcid,dc=3Dexample,dc=3Dnet be=
come
uid=3Dauthzid,dc=3Dexample,dc=3Dnet? =3D=3D>slap_sasl_check_authz: does uid=3Dauthzid,dc=3Dexample,dc=3Dnet =
match authzTo rule
in uid=3Dauthcid,dc=3Dexample,dc=3Dnet? <=3D=3Dslap_sasl_check_authz: authzTo check returning 50 =3D=3D>slap_sasl_check_authz: does uid=3Dauthcid,dc=3Dexample,dc=3Dnet =
match authzFrom
rule in uid=3Dauthzid,dc=3Dexample,dc=3Dnet? <=3D=3D=3Dslap_sasl_match: comparison returned 0 <=3D=3Dslap_sasl_check_authz: authzFrom check returning 0 <=3D=3D slap_sasl_authorized: return 0 conn=3D1019 op=3D1 BIND authcid=3D"authcid" authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet" SASL Authorize [conn=3D1019]: proxy authorization allowed authzDN=3D"uid=3Dauthzid,dc=3Dexample,dc=3Dnet" =20 AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized=
(), and
is also present in master. Here is a naive patch that fails the author=
ization
if the source rules doesn't verify and SASL_AUTHZ_AND is set in authz_p=
olicy.
=20 --- a/servers/slapd/saslauthz.c +++ b/servers/slapd/saslauthz.c @@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op, if( rc =3D=3D LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND)=
) {
goto DONE; }
else if( rc !=3D LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AN=
D) ) {
rc =3D LDAP_INAPPROPRIATE_AUTH;goto DONE;}=20 /* Check destination rules */ =20 =20
--=20 -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
-
hyc@symas.com