Univention Bugzilla – Bug 25197
UMC-Server: ACLs evaluation ignores "!property" option pattern (UDM op-sets vulnerable)
Last modified: 2021-06-23 07:29:05 CEST
Es scheint, dass derzeit "!property"-Werte für die Option-Eigenschaft von udm/umc_operationset-Objekten ignoriert werden. Im einem Test wurde folgendes Operationset (über die UMC) angegeben: command=ucr/categories command=ucr/query option=!category Danach wurden Anfragen mit gesetzter "category" akzeptiert.
Therefore all predefined operations sets for UDM are vulnerable. A user which only is allowed udm-users can sucessfully execute: umc-command -U bug25197 -P univention udm/query -e -o '{"objectType": "computers/computer"}' -f users/user but the operation set says: umcOperationSetCommand: udm/*:objectType=users/user umcOperationSetCommand: udm/*:!objectType
This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4. If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.
This issue has been filed against UCS 3.0. UCS 3.0 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.
The function __option_match() returns always ACLs.MATCH_FULL instead of ACLs.MATCH_NONE when the ACL defines a "!key" pattern but the key is present. This patch fixes the issue: diff --git management/univention-management-console/src/univention/management/console/acl.py management/univention-management-console/src/univention/management/console/acl.py index 23c953e883..a489e6582b 100644 --- management/univention-management-console/src/univention/management/console/acl.py +++ management/univention-management-console/src/univention/management/console/acl.py @@ -214,7 +214,7 @@ class ACLs(object): match = ACLs.MATCH_FULL for key, value in opt_pattern.items(): # a key starting with ! means it may not be available - if key.startswith('!') and key in opts: + if key.startswith('!') and key[1:] in opts: return ACLs.MATCH_NONE # else if key not in opts no rule available -> OK if key not in opts:
The patch has been applied in: univention-management-console.yaml 7658377a6373 | YAML Bug #25197 univention-management-console (11.0.6-7) 43f64d66ffc8 | Bug #25197: fix broken evaluation of disallowing option pattern
OK - default umc Operationset (with an !) still work OK - reproducible/fixed udm-users operationset allowed for user without this change this worked -> umc-command -U test1 -P univention123 udm/query -e -f users/user -o '{"objectType": "computers/computer", "objectProperty":"None"}' with this change correctly 403 OK - yaml OK - merged to 5.0-0
<https://errata.software-univention.de/#/?erratum=4.4x883>