Univention Bugzilla – Bug 35110
User/class/computer/school wizards unusable for non-Domain Admins
Last modified: 2023-06-12 15:39:40 CEST
The behaviour is the same as for Bug #35109. Additionally, non-admin users of UCS@school 3.2v1 were able to import user, groups, classes and schools. This isn't possible anymore. +++ This bug was initially created as a clone of Bug #35109 +++ If a user who's not member of the group Domain Admins tries to use the wizard write access is denied. This is because the user's account is used to access the LDAP. The important use cases of allowing a non-admin user to import user accounts is therefore not given.
*** Bug 35939 has been marked as a duplicate of this bug. ***
Reported/Asked at 2014082221000147 (Forum)
I'd like to raise from enhancement to normal as this is a functional regression (it worked before the usage of python lib, before r2).
Please also consider Bug #35109. May be fixed with the same LDAP ACLs.
Please check if the wizard modules are installed only on a UCS master. If this is the case, it would be best, if cn=admin is used for the LDAP connection.
A customer asked again via sales about current status.
I think it is not a good idea to just change the LDAP connection to use cn=admin because the current code can create/modify/remove any object with any attributes you want even outside of the OU. Changing this is complex and also error prone for the future. @Sönke: Please make a clear decision on this. Example request to remove a user "Administrator2" user with a patched schoolwizards module using cn=admin: curl 'http://Administrator:univention@10.200.27.30/univention-management-console/command/schoolwizards/users/remove' -H 'Accept-Language: en-US' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' --data-binary '{"options":[{"object":{"$dn$":"uid=Administrator2,cn=users,dc=saml,dc=dev","school":"foobar"},"options":null}],"flavor":"schoolwizards/users"}' -i
The same customer mentioned in comment #6 asked for the status again
As discussed, the UMC module should work with cn=admin and check the UMCP arguments carefully. The user should only be allowed to modify objects below an OU (not in global containers).
(In reply to Sönke Schwardt-Krummrich from comment #9) > As discussed, the UMC module should work with cn=admin and check the UMCP > arguments carefully. The user should only be allowed to modify objects below > an OU (not in global containers). How about school admin users - should they be protected from changes as well?
(In reply to Sönke Schwardt-Krummrich from comment #9) > As discussed, the UMC module should work with cn=admin and check the UMCP > arguments carefully. The user should only be allowed to modify objects below > an OU (not in global containers). On YOUR risk? It's not only checking of the DN. Our handlers are mostly having the syntax class 'string' which doesn't event check for valid encoding or null bytes or newlines. You can cause a lot of DoS through entering malicious data into LDAP. Most listener modules (which e.g. write the DNS configuration, etc.) aren't checking the LDAP values and blindly write them into the configuration files. Also UDM can be completely crashed (See Bug #40854).
Reported again, 4.1-1 errata156 (Vahr). Die Ausführung des Kommandos schoolwizards/computers/remove schoolwizards/computers ist fehlgeschlagen: Traceback (most recent call last): File "%PY2.7%/univention/management/console/base.py", line 283, in execute function(self, request) File "%PY2.7%/ucsschool/lib/schoolldap.py", line 140, in wrapper_func return func(*args, **kwargs) File "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", line 121, in _decorated ret = func(self, request, *a, **kw) File "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", line 232, in _delete_obj if obj.remove(ldap_user_write): File "%PY2.7%/ucsschool/lib/models/base.py", line 501, in remove success = self.remove_without_hooks(lo) File "%PY2.7%/ucsschool/lib/models/base.py", line 511, in remove_without_hooks udm_obj.remove(remove_childs=True) File "%PY2.7%/univention/admin/handlers/__init__.py", line 524, in remove return self._remove(remove_childs) File "%PY2.7%/univention/admin/handlers/__init__.py", line 1047, in _remove self.lo.delete(self.dn) File "%PY2.7%/univention/admin/uldap.py", line 461, in delete raise univention.admin.uexceptions.permissionDenied permissionDenied
(In reply to Florian Best from comment #12) > Reported again, 4.1-1 errata156 (Vahr). > Die Ausführung des Kommandos schoolwizards/computers/remove > schoolwizards/computers ist fehlgeschlagen: > > Traceback (most recent call last): > File "%PY2.7%/univention/management/console/base.py", line 283, in execute > function(self, request) > File "%PY2.7%/ucsschool/lib/schoolldap.py", line 140, in wrapper_func > return func(*args, **kwargs) > File > "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", > line 121, in _decorated > ret = func(self, request, *a, **kw) > File > "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", > line 232, in _delete_obj > if obj.remove(ldap_user_write): > File "%PY2.7%/ucsschool/lib/models/base.py", line 501, in remove > success = self.remove_without_hooks(lo) > File "%PY2.7%/ucsschool/lib/models/base.py", line 511, in > remove_without_hooks > udm_obj.remove(remove_childs=True) > File "%PY2.7%/univention/admin/handlers/__init__.py", line 524, in remove > return self._remove(remove_childs) > File "%PY2.7%/univention/admin/handlers/__init__.py", line 1047, in _remove > self.lo.delete(self.dn) > File "%PY2.7%/univention/admin/uldap.py", line 461, in delete > raise univention.admin.uexceptions.permissionDenied > permissionDenied Any information, which user tried to delete that computer object? Please also note, that the UMC module is by default only available to Domain Admins on DC master/backup.
(In reply to Sönke Schwardt-Krummrich from comment #13) > Any information, which user tried to delete that computer object? > Please also note, that the UMC module is by default only available to Domain > Admins on DC master/backup. No, we currently don't send this information. I would like to add them.
*** This bug has been marked as a duplicate of bug 44641 ***
(In reply to Daniel Tröder from comment #15) > > *** This bug has been marked as a duplicate of bug 44641 *** Please give an explanation. This bug is for a real solution while Bug #44641 is only a workaround which adds serious security problems.
Removing the "duplicate" link to bug 44641.
This issue has been filled against UCS@school 3. The maintenance with bug and security fixes for the last UCS@school version for UCS 3.x (→ UCS@school 3.2) has ended on Dec 31, 2016. Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). Please contact your partner or Univention for any questions. If this issue still occurs in newer UCS versions, please use "Clone this bug" or simply reopen the issue. In this case please provide detailed information on how this issue is affecting you.