First Last Prev Next    This bug is not in your last search results.
Bug 35110 - User/class/computer/school wizards unusable for non-Domain Admins
User/class/computer/school wizards unusable for non-Domain Admins
Status: CLOSED WONTFIX
Product: UCS@school
Classification: Unclassified
Component: UMC - Wizards
UCS@school 3.2 R2
Other Linux
: P5 normal with 2 votes (vote)
: ---
Assigned To: UCS@school maintainers
:
: 35939 (view as bug list)
Depends on: 35109
Blocks: 44641 44642
  Show dependency treegraph
 
Reported: 2014-06-12 17:16 CEST by Jan Christoph Ebersbach
Modified: 2023-06-12 15:39 CEST (History)
11 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Error handling, External feedback, Roadmap discussion, Workaround is available
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Christoph Ebersbach univentionstaff 2014-06-12 17:16:51 CEST 
The behaviour is the same as for Bug #35109.  Additionally, non-admin users of UCS@school 3.2v1 were able to import user, groups, classes and schools.  This isn't possible anymore.

+++ This bug was initially created as a clone of Bug #35109 +++

If a user who's not member of the group Domain Admins tries to use the wizard write access is denied.  This is because the user's account is used to access the LDAP.

The important use cases of allowing a non-admin user to import user accounts is therefore not given.
Comment 1 Jan Christoph Ebersbach univentionstaff 2014-09-24 14:44:03 CEST 
*** Bug 35939 has been marked as a duplicate of this bug. ***
Comment 2 Tim Petersen univentionstaff 2015-02-20 07:16:52 CET 
Reported/Asked at 2014082221000147 (Forum)
Comment 3 Tim Petersen univentionstaff 2015-02-20 07:32:52 CET 
I'd like to raise from enhancement to normal as this is a functional regression (it worked before the usage of python lib, before r2).
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2015-02-27 09:19:32 CET 
Please also consider Bug #35109. May be fixed with the same LDAP ACLs.
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2015-06-18 15:32:58 CEST 
Please check if the wizard modules are installed only on a UCS master. If this is the case, it would be best, if cn=admin is used for the LDAP connection.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2015-10-16 17:17:50 CEST 
A customer asked again via sales about current status.
Comment 7 Florian Best univentionstaff 2015-11-24 17:24:47 CET 
I think it is not a good idea to just change the LDAP connection to use cn=admin because the current code can create/modify/remove any object with any attributes you want even outside of the OU.
Changing this is complex and also error prone for the future.
@Sönke: Please make a clear decision on this.

Example request to remove a user "Administrator2" user with a patched schoolwizards module using cn=admin:
curl 'http://Administrator:univention@10.200.27.30/univention-management-console/command/schoolwizards/users/remove' -H 'Accept-Language: en-US' -H 'Content-Type: application/json' -H 'X-Requested-With: XMLHttpRequest' --data-binary '{"options":[{"object":{"$dn$":"uid=Administrator2,cn=users,dc=saml,dc=dev","school":"foobar"},"options":null}],"flavor":"schoolwizards/users"}' -i
Comment 8 Stephan Luft univentionstaff 2016-01-26 09:27:41 CET 
The same customer mentioned in comment #6 asked for the status again
Comment 9 Sönke Schwardt-Krummrich univentionstaff 2016-03-08 12:11:37 CET 
As discussed, the UMC module should work with cn=admin and check the UMCP arguments carefully. The user should only be allowed to modify objects below an OU (not in global containers).
Comment 10 Jan Christoph Ebersbach univentionstaff 2016-03-08 18:52:19 CET 
(In reply to Sönke Schwardt-Krummrich from comment #9)
> As discussed, the UMC module should work with cn=admin and check the UMCP
> arguments carefully. The user should only be allowed to modify objects below
> an OU (not in global containers).

How about school admin users - should they be protected from changes as well?
Comment 11 Florian Best univentionstaff 2016-03-10 14:23:41 CET 
(In reply to Sönke Schwardt-Krummrich from comment #9)
> As discussed, the UMC module should work with cn=admin and check the UMCP
> arguments carefully. The user should only be allowed to modify objects below
> an OU (not in global containers).

On YOUR risk? It's not only checking of the DN. Our handlers are mostly having the syntax class 'string' which doesn't event check for valid encoding or null bytes or newlines. You can cause a lot of DoS through entering malicious data into LDAP. Most listener modules (which e.g. write the DNS configuration, etc.) aren't checking the LDAP values and blindly write them into the configuration files. Also UDM can be completely crashed (See Bug #40854).
Comment 12 Florian Best univentionstaff 2016-04-29 10:39:02 CEST 
Reported again, 4.1-1 errata156 (Vahr).
Die Ausführung des Kommandos schoolwizards/computers/remove schoolwizards/computers ist fehlgeschlagen:

Traceback (most recent call last):
  File "%PY2.7%/univention/management/console/base.py", line 283, in execute
    function(self, request)
  File "%PY2.7%/ucsschool/lib/schoolldap.py", line 140, in wrapper_func
    return func(*args, **kwargs)
  File "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", line 121, in _decorated
    ret = func(self, request, *a, **kw)
  File "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py", line 232, in _delete_obj
    if obj.remove(ldap_user_write):
  File "%PY2.7%/ucsschool/lib/models/base.py", line 501, in remove
    success = self.remove_without_hooks(lo)
  File "%PY2.7%/ucsschool/lib/models/base.py", line 511, in remove_without_hooks
    udm_obj.remove(remove_childs=True)
  File "%PY2.7%/univention/admin/handlers/__init__.py", line 524, in remove
    return self._remove(remove_childs)
  File "%PY2.7%/univention/admin/handlers/__init__.py", line 1047, in _remove
    self.lo.delete(self.dn)
  File "%PY2.7%/univention/admin/uldap.py", line 461, in delete
    raise univention.admin.uexceptions.permissionDenied
permissionDenied
Comment 13 Sönke Schwardt-Krummrich univentionstaff 2016-04-29 14:10:20 CEST 
(In reply to Florian Best from comment #12)
> Reported again, 4.1-1 errata156 (Vahr).
> Die Ausführung des Kommandos schoolwizards/computers/remove
> schoolwizards/computers ist fehlgeschlagen:
> 
> Traceback (most recent call last):
>   File "%PY2.7%/univention/management/console/base.py", line 283, in execute
>     function(self, request)
>   File "%PY2.7%/ucsschool/lib/schoolldap.py", line 140, in wrapper_func
>     return func(*args, **kwargs)
>   File
> "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py",
> line 121, in _decorated
>     ret = func(self, request, *a, **kw)
>   File
> "%PY2.7%/univention/management/console/modules/schoolwizards/__init__.py",
> line 232, in _delete_obj
>     if obj.remove(ldap_user_write):
>   File "%PY2.7%/ucsschool/lib/models/base.py", line 501, in remove
>     success = self.remove_without_hooks(lo)
>   File "%PY2.7%/ucsschool/lib/models/base.py", line 511, in
> remove_without_hooks
>     udm_obj.remove(remove_childs=True)
>   File "%PY2.7%/univention/admin/handlers/__init__.py", line 524, in remove
>     return self._remove(remove_childs)
>   File "%PY2.7%/univention/admin/handlers/__init__.py", line 1047, in _remove
>     self.lo.delete(self.dn)
>   File "%PY2.7%/univention/admin/uldap.py", line 461, in delete
>     raise univention.admin.uexceptions.permissionDenied
> permissionDenied

Any information, which user tried to delete that computer object?
Please also note, that the UMC module is by default only available to Domain Admins on DC master/backup.
Comment 14 Florian Best univentionstaff 2016-04-29 14:11:31 CEST 
(In reply to Sönke Schwardt-Krummrich from comment #13)
> Any information, which user tried to delete that computer object?
> Please also note, that the UMC module is by default only available to Domain
> Admins on DC master/backup.
No, we currently don't send this information. I would like to add them.
Comment 15 Daniel Tröder univentionstaff 2017-06-22 11:51:21 CEST 

*** This bug has been marked as a duplicate of bug 44641 ***
Comment 16 Florian Best univentionstaff 2017-06-22 11:57:35 CEST 
(In reply to Daniel Tröder from comment #15)
> 
> *** This bug has been marked as a duplicate of bug 44641 ***
Please give an explanation. This bug is for a real solution while Bug #44641 is only a workaround which adds serious security problems.
Comment 17 Sönke Schwardt-Krummrich univentionstaff 2017-06-22 12:26:07 CEST 
Removing the "duplicate" link to bug 44641.
Comment 18 Sönke Schwardt-Krummrich univentionstaff 2019-02-05 21:50:05 CET 
This issue has been filled against UCS@school 3. The maintenance with
bug and security fixes for the last UCS@school version for UCS 3.x 
(→ UCS@school 3.2) has ended on Dec 31, 2016.

Customers still on UCS 3.x are encouraged to update to UCS 4.3 (or later). 
Please contact your partner or Univention for any questions.

If this issue still occurs in newer UCS versions, please use "Clone this bug"
or simply reopen the issue. In this case please provide detailed information on
how this issue is affecting you.
First Last Prev Next    This bug is not in your last search results.