Bug 41179 - User is allowed to change its objectClass
User is allowed to change its objectClass
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.1
Other Linux
: P5 critical (vote)
: UCS 4.1-2-errata
Assigned To: Florian Best
Stefan Gohmann
Depends on:
  Show dependency treegraph
Reported: 2016-04-29 14:27 CEST by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:
best: Patch_Available+

patch (1.09 KB, patch)
2016-04-29 15:31 CEST, Florian Best
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-04-29 14:27:19 CEST
univention-ldap-acl-master ships 63univention-ldap-server_acl-master-password with the following ACL rule:

access to attrs="univentionUMCProperty,objectClass"
   by self write
   by * none break

This rule allows everybody (!) to change it's own object class. Have fun!

As an example:
ucsschoolStudent anton1 is allowed to change its object class from ucsschoolStudent to ucsschoolAdministrator + ucsschoolTeacher.

I am not sure but there are probably also things which can be executed by a Memberserver or Windows computer.
Comment 1 Florian Best univentionstaff 2016-04-29 14:30:36 CEST
The rule exists because a user has to modify it's UMC favorites/settings/appcenter-notification-read.

The rule should be adjusted that it is limited to users and to the specific object class for the attribute univentionUMCProperty which is univentionPerson.
(Which must be added in case it is not already).

We could also change the UMC-Server to use admin/machine account to change the values and remove the rule completely.
Comment 2 Florian Best univentionstaff 2016-04-29 15:31:02 CEST
Created attachment 7631 [details]
Comment 3 Florian Best univentionstaff 2016-06-24 13:44:27 CEST
Access is now restricted to the univentionUMCProperty attribute and to the object class univentionPerson.
users with only "person" object class must be abel to add/remove the object class univentionPerson.

univention-ldap (12.1.6-23):
r70607 | Bug #41179: restrict access to own object classes

r70609 | YAML Bug #41179, Bug #41180
Comment 4 Stefan Gohmann univentionstaff 2016-07-08 16:53:35 CEST
Tests: OK
I was able to reproduce the problem. I could simply add univentionFreeAttributes as new objectClass. After updating to the new version, I wasn't able to add univentionFreeAttributes but I was still able to change the favorites or the app center flag. I was also able to change the objectClasses as member of the Domain Admins group.

Code review: OK

YAML:  OK (updated version number: r70905)
Comment 5 Janek Walkenhorst univentionstaff 2016-08-03 15:56:48 CEST