Re: (ITS#8909) "authz-policy all" works as "authz-policy any", possibly yielding unauthorized access

Tuesday, 28 August 2018

guilhem(a)fripost.org wrote:
...
 Full_Name: Guilhem Moulin
 Version: 2.4.44
 OS: Debian GNU/Linux (Stretch)
 URL: ftp://ftp.openldap.org/incoming/
 Submission from: (NULL) (109.225.112.70)
=20
=20
 slapd.conf(5) manpage (in both 2.4.44 and in current =E2=80=94 0f320b3 = =E2=80=94
master)
...
 mentions that authz-policy's "all" flag requires both
source and destin= ations
...
 authorizations rules to succeed.  However if the source rule (the
authe= ntication
...
 identity's "authzTo" attribute) fails but the
destination rule (the
 authorization identity's "authzFrom" attribute) succeeds, then the auth=
orization
...
 is granted, violating the intended semantics and possibly yielding
unau= thorized
...
 access.  See the following log excerpt: 
Thanks for the report. Looks like this has been present since commit 1137=
27ba.
Fixed now in git master

...
=20
 SASL proxy authorize [conn=3D1019]: authcid=3D"authcid"
 authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
 =3D=3D>slap_sasl_authorized: can uid=3Dauthcid,dc=3Dexample,dc=3Dnet be= come
...
 uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
 =3D=3D>slap_sasl_check_authz: does uid=3Dauthzid,dc=3Dexample,dc=3Dnet = match
authzTo rule
...
 in uid=3Dauthcid,dc=3Dexample,dc=3Dnet?
 <=3D=3Dslap_sasl_check_authz: authzTo check returning 50
 =3D=3D>slap_sasl_check_authz: does uid=3Dauthcid,dc=3Dexample,dc=3Dnet = match
authzFrom
...
 rule in uid=3Dauthzid,dc=3Dexample,dc=3Dnet?
 <=3D=3D=3Dslap_sasl_match: comparison returned 0
 <=3D=3Dslap_sasl_check_authz: authzFrom check returning 0
 <=3D=3D slap_sasl_authorized: return 0
 conn=3D1019 op=3D1 BIND authcid=3D"authcid"
 authzid=3D"dn:uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
 SASL Authorize [conn=3D1019]:  proxy authorization allowed
 authzDN=3D"uid=3Dauthzid,dc=3Dexample,dc=3Dnet"
=20
 AFAICT the problem is in servers/slapd/saslauthz.c:slap_sasl_authorized= (), and
...
 is also present in master.  Here is a naive patch that fails the
author= ization
...
 if the source rules doesn't verify and SASL_AUTHZ_AND is set in
authz_p= olicy.
...
=20
 --- a/servers/slapd/saslauthz.c
 +++ b/servers/slapd/saslauthz.c
 @@ -2077,6 +2077,10 @@ int slap_sasl_authorized( Operation *op,
          if( rc =3D=3D LDAP_SUCCESS && !(authz_policy & SASL_AUTHZ_AND)=
 ) {
...
              goto DONE;
          }
 +        else if( rc !=3D LDAP_SUCCESS && (authz_policy & SASL_AUTHZ_AN=
D) ) {
...
 +         rc =3D LDAP_INAPPROPRIATE_AUTH;
 +         goto DONE;
 +     }
      }
  =20
      /* Check destination rules */
=20
=20 

--=20
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006