Re: slapo-dynlist desgin question(s)

Saturday, 13 January 2007

--On Saturday, January 13, 2007 1:36 PM -0800 Quanah Gibson-Mount 
<quanah(a)stanford.edu&gt; wrote:

...

 --On Saturday, January 13, 2007 11:03 AM +0100 Pierangelo Masarati
 <ando(a)sys-net.it&gt; wrote:

> Using the rootdn to generate the list, and
> then check access to the list itself may not be correct, because the
> dynamic list could become a means to circumvent access control to the
> actual data; think of a case where the effective user has no privileges
> on the actual data, but has compare, or even read access to the
> dynamically generated list.  Then, if the list were generated as rootdn,
> the user would be able to compare, or even read, on data that is a
> derivative of otherwise inaccessible data.  I would consider this a
> violation of data integrity. 

Oh, and much thanks for the patch. :)  I'll give it a try here soon. ;)

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

Re: slapo-dynlist desgin question(s)