Bug 37085 - uidNumber not checked while creating user
uidNumber not checked while creating user
Status: REOPENED
Product: UCS
Classification: Unclassified
Component: UDM (Generic)
UCS 4.4
Other Linux
: P5 normal (vote)
: UCS 4.x
Assigned To: UMC maintainers
:
: 37084 41036 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-27 12:01 CET by Tim Petersen
Modified: 2023-03-07 11:30 CET (History)
6 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Error handling, External feedback, Security
Max CVSS v3 score: 4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Petersen univentionstaff 2014-11-27 12:01:29 CET
See https://forge.univention.org/bugzilla/show_bug.cgi?id=37083 -there is a range limit for "valid" uidNumbers.
You can still add a new user with a uidNumber outside this limit...afterwards, as the limit was reached, no more users are creatable anymore...

We should validate this value, if there is a known limitation.
Comment 1 Florian Best univentionstaff 2016-04-12 13:22:52 CEST
*** Bug 41036 has been marked as a duplicate of this bug. ***
Comment 2 Florian Best univentionstaff 2016-04-14 13:12:18 CEST
We have a UCS@school ACL which allows write access to uidNumber/gidNumber which can be used to cause DoS as teacher.

access to dn.base="cn=gidNumber,cn=temporary,cn=univention,dc=school,dc=local" attrs=univentionLastUsedValue
        by dn.regex="^uid=([^,]+),cn=(lehrer|lehrer und mitarbeiter|mitarbeiter|admins),cn=users,ou=([^,]+),dc=school,dc=local$$" write
        by * none break

access to dn.base="cn=uidNumber,cn=temporary,cn=univention,dc=school,dc=local" attrs=univentionLastUsedValue
        by dn.regex="^uid=([^,]+),cn=(lehrer|lehrer und mitarbeiter|mitarbeiter|admins),cn=users,ou=([^,]+),dc=school,dc=local$$" write
        by * none break
Comment 3 Florian Best univentionstaff 2016-04-14 13:42:15 CEST
Also by every DC:
access to dn.regex="^cn=([^,]+),cn=temporary,cn=univention,dc=school,dc=local$" attrs=univentionLastUsedValue
   by dn.children="cn=dc,cn=computers,dc=school,dc=local" write
Comment 4 Florian Best univentionstaff 2017-06-28 14:52:27 CEST
There is a Customer ID set so I set the flag "Enterprise Customer affected".
Comment 5 Stefan Gohmann univentionstaff 2019-01-03 07:16:41 CET
This issue has been filled against UCS 4.0. The maintenance with bug and security fixes for UCS 4.0 has ended on 31st of May 2016.

Customers still on UCS 4.0 are encouraged to update to UCS 4.3. Please contact
your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.
Comment 6 Florian Best univentionstaff 2019-02-06 11:43:52 CET
*** Bug 37084 has been marked as a duplicate of this bug. ***