Pierangelo Masarati <ando(a)sys-net.it> wrote:
Unless one uses authzTo/authzFrom as a naming attribute, I don't
see any
issue. I haven't checked, but I believe modrdn already needs to comply
with ACLs in a manner that allows finge-grain enough control. In fact,
modrdn needs to pass access control both for the old and the new (r)dn,
and the use of filters, sets and so allows to condition access on the
entry's content.
Looking at the code for back-bdb, it requires you have:
- write access to old parent
- write access to new superior parent
- write access to old entry
- and there is a call to bdb_modify_internal() that will check for
attribute ACL, and it this seems to be for the old location in the tree,
not the new one.
So if you have an attribute ACL that applies only to the new location,
it can be circunvented by a modrdn. I am not sure this is really a bug,
though, perhaps just an unspecfied area.
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu(a)netbsd.org