Bug 41720 – LDAP ACLs: staff is able to modify shares - but should not

Bug 41720 - LDAP ACLs: staff is able to modify shares - but should not


Summary:	LDAP ACLs: staff is able to modify shares - but should not

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	LDAP
Version:	UCS@school 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.1 R2 vXXX
Assigned To:	Florian Best
QA Contact:	Sönke Schwardt-Krummrich

URL:
Keywords:	interim-2

Depends on:	41115
Blocks:	42065 43042
	Show dependency tree / graph

Reported:	2016-07-03 23:00 CEST by Sönke Schwardt-Krummrich
Modified:	2016-11-23 12:36 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sönke Schwardt-Krummrich

2016-07-03 23:00:58 CEST

UCS@school staff users are now able to modify shares with new LDAP ACLs:

 dn: cn=Marktplatz,cn=shares,ou=schoolA,dc=nstx,dc=local
+univentionShareWriteable: =wrscxd
-univentionShareWriteable: =rscxd
+univentionShareUid: =wrscxd
-univentionShareUid: =rscxd
+univentionShareSambaWriteable: =wrscxd
-univentionShareSambaWriteable: =rscxd
+univentionShareSambaStrictLocking: =wrscxd
-univentionShareSambaStrictLocking: =rscxd
+univentionShareSambaSecurityMode: =wrscxd
-univentionShareSambaSecurityMode: =rscxd
+univentionShareSambaPublic: =wrscxd
-univentionShareSambaPublic: =rscxd
+univentionShareSambaOplocks: =wrscxd
-univentionShareSambaOplocks: =rscxd
+univentionShareSambaNtAclSupport: =wrscxd
-univentionShareSambaNtAclSupport: =rscxd
+univentionShareSambaName: =wrscxd
[...]

Everything else for staff users seems to be ok.

+++ This bug was initially created as a clone of Bug #41115 +++

Comment 1 Florian Best

2016-07-04 12:29:56 CEST

ucs-school-ldap-acls-master (14.0.1-6):
r70787 | Bug #41720: adjust joinscript version
r70786 | Bug #41720: staff only users should not be able to modify shares

ucs-school-ldap-acls-master.yaml:
r70788 | YAML Bug #41720

Package: ucs-school-ldap-acls-master
Version: 14.0.1-6.75.201607041226
Branch: ucs_4.1-0
Scope: ucs-school-4.1r2

Comment 2 Sönke Schwardt-Krummrich

2016-07-08 12:36:51 CEST

OLD:
(|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator) 
  (objectClass=ucsschoolStaff)
)

NEW:
(|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator) 
  (&(objectClass=ucsschoolTeacher)(objectClass=ucsschoolStaff))
)

If I'm not mistaken, there is now redundancy in the search filter.
→ (|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator))
  should be sufficient

REOPEN: code change
OK: YAML

Comment 3 Florian Best

2016-07-08 15:49:37 CEST

You are right.

ucs-school-ldap-acls-master (14.0.1-8):
r70904 | Bug #41720: simplify filter

Comment 4 Sönke Schwardt-Krummrich

2016-08-08 14:16:05 CEST

OK: code change
OK: functional test
OK: YAML

Comment 5 Sönke Schwardt-Krummrich

2016-08-08 14:30:09 CEST

Back to RESOLVED for additional ucs-test scripts.

Comment 6 Sönke Schwardt-Krummrich

2016-08-18 17:21:28 CEST

(In reply to Sönke Schwardt-Krummrich from comment #5)
> Back to RESOLVED for additional ucs-test scripts.

ucs-test-ucsschool (3.0.14-5):
r71727 | Bug #41720: check if users are able to read but not able to modify shares objects

Comment 7 Sönke Schwardt-Krummrich

2016-08-19 14:32:49 CEST

UCS@school 4.1 R2 v4 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.1R2v4-de.html

If this error occurs again, please clone this bug.