Univention Bugzilla – Bug 41179
User is allowed to change its objectClass
Last modified: 2021-06-23 07:29:09 CEST
univention-ldap-acl-master ships 63univention-ldap-server_acl-master-password with the following ACL rule: """ access to attrs="univentionUMCProperty,objectClass" by self write by * none break """ This rule allows everybody (!) to change it's own object class. Have fun! As an example: ucsschoolStudent anton1 is allowed to change its object class from ucsschoolStudent to ucsschoolAdministrator + ucsschoolTeacher. I am not sure but there are probably also things which can be executed by a Memberserver or Windows computer.
The rule exists because a user has to modify it's UMC favorites/settings/appcenter-notification-read. The rule should be adjusted that it is limited to users and to the specific object class for the attribute univentionUMCProperty which is univentionPerson. (Which must be added in case it is not already). We could also change the UMC-Server to use admin/machine account to change the values and remove the rule completely.
Created attachment 7631 [details] patch
Access is now restricted to the univentionUMCProperty attribute and to the object class univentionPerson. users with only "person" object class must be abel to add/remove the object class univentionPerson. univention-ldap (12.1.6-23): r70607 | Bug #41179: restrict access to own object classes univention-ldap.yaml: r70609 | YAML Bug #41179, Bug #41180
Tests: OK I was able to reproduce the problem. I could simply add univentionFreeAttributes as new objectClass. After updating to the new version, I wasn't able to add univentionFreeAttributes but I was still able to change the favorites or the app center flag. I was also able to change the objectClasses as member of the Domain Admins group. Code review: OK YAML: OK (updated version number: r70905)
<http://errata.software-univention.de/ucs/4.1/222.html>