Bug 41468 – UCS@school lib caching of udm objects causes operations to be executed with wrong ldap connection

Bug 41468 - UCS@school lib caching of udm objects causes operations to be executed with wrong ldap connection


Summary:	UCS@school lib caching of udm objects causes operations to be executed with w...

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Ucsschool-lib
Version:	UCS@school 4.1 R2
Hardware:	Other Linux

Importance:	P5 major (vote)
Target Milestone:	UCS@school 4.1 R2
Assigned To:	Florian Best
QA Contact:	Daniel Tröder

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2016-06-06 11:30 CEST by Florian Best
Modified:	2016-09-21 18:10 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Florian Best

2016-06-06 11:30:48 CEST

Assume the following snipped:
from ucsschool.lib.models import User
user = User.from_dn(some_dn, None, ldap_admin_write)
user.remove(ldap_user_write)
or 
user = User.from_dn(some_dn, None, ldap_user_write)
user.remove(ldap_admin_write)

Will remove the object with the ldap_admin_write connection as the cached udm object is used where udm_obj.lo is saved.
We need and use such pattern e.g. to make sure the user is only removed if readable from that user but not necessarily writeable/deletable.

Comment 1 Florian Best

2016-06-06 12:06:46 CEST

ucs-school-lib (9.0.10-1):
r69842 | Bug #41468: don't cache udm_object when ldap binddn changes

Here is the proof for the fix:
>>> import univention.admin.uldap
>>> lo1,po=univention.admin.uldap.getMachineConnection()
>>> lo2,po=univention.admin.uldap.getAdminConnection()
>>> 
>>> from ucsschool.lib.models import AnyComputer
>>> c = AnyComputer.from_dn(lo1.binddn, None, lo1)
>>> id(c.get_udm_object(lo1))
57339216
>>> id(c.get_udm_object(lo1))
57339216
>>> id(c.get_udm_object(lo2))
58388816
>>> id(c.get_udm_object(lo2))
58388816
>>> id(c.get_udm_object(lo1))
57338576

Comment 2 Daniel Tröder

2016-06-14 13:59:18 CEST

(In reply to Florian Best from comment #1)
> ucs-school-lib (9.0.10-1):
> r69842 | Bug #41468: don't cache udm_object when ldap binddn changes
> 
> Here is the proof for the fix:
> >>> import univention.admin.uldap
> >>> lo1,po=univention.admin.uldap.getMachineConnection()
> >>> lo2,po=univention.admin.uldap.getAdminConnection()
> >>> 
> >>> from ucsschool.lib.models import AnyComputer
> >>> c = AnyComputer.from_dn(lo1.binddn, None, lo1)
> >>> id(c.get_udm_object(lo1))
> 57339216
> >>> id(c.get_udm_object(lo1))
> 57339216
> >>> id(c.get_udm_object(lo2))
> 58388816
> >>> id(c.get_udm_object(lo2))
> 58388816
> >>> id(c.get_udm_object(lo1))
> 57338576
OK: previously cached UDM object is retrieved again from LDAP in case previous and current LDAP connections differ.

Comment 3 Florian Best

2016-06-28 18:24:53 CEST

UCS@school 4.1 R2 has been released:
http://docs.software-univention.de/release-notes-ucsschool-4.1R2v1-de.pdf

If this error occurs again, please use "Clone This Bug".