Bug 50669 - Restrict Access to LDAP Data for Non-Administrative Users
Restrict Access to LDAP Data for Non-Administrative Users
Status: CLOSED FIXED
Product: UCS@school
Classification: Unclassified
Component: LDAP
unspecified
Other Linux
: P5 normal (vote)
: UCS@school 4.4 v5-errata
Assigned To: Ole Schwiegert
Daniel Tröder
https://cve.mitre.org/cgi-bin/cvename...
:
Depends on:
Blocks: 51658
  Show dependency treegraph
 
Reported: 2019-12-20 13:24 CET by Christian Völker
Modified: 2020-08-24 13:15 CEST (History)
5 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019121921000832
Bug group (optional): Security
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2019-12-20 13:24:03 CET
For non-administrative users access to sensitive LDAP attributes should be restricted. Currently accessible are ie NTLM hashes.

Currently it appears students hav only access to their own data which is fine.
But teachers and staff have access to the school admins data which is no good.

Additionally teach (or staff) have access to all stundents, teachers and staff data. Again, no good.


Further details about tests performed and expected result table can be found in the ticket.
Comment 4 Daniel Tröder univentionstaff 2020-05-04 15:02:38 CEST
OK: code (ACL) changes
OK: automatic tests 75_ldap_acls_* on developer VM
OK: manual tests:

Test were run like this (changing binddn and filter):

ldapsearch -LLL -D uid=demo_student,cn=schueler,cn=users,ou=DEMOSCHOOL,($ucr get ldap/base) -w univention -x -H ldap://localhost:7389/ uid=demo_teacher userPassword

* admin → admin: denied
* admin → global: denied
* admin → staff: ok
* admin → student: ok
* admin → teacher: ok
* global → admin: denied
* global → global: denied
* global → staff: denied
* global → student: denied
* global → teacher: denied
* staff → admin: denied
* staff → global: denied
* staff → staff: denied
* staff → student: denied
* staff → teacher: denied
* student → admin: denied
* student → global: denied
* student → staff: denied
* student → student: denied
* student → teacher: denied
* teacher → admin: denied
* teacher → global: denied
* teacher → staff: denied
* teacher → student: ok
* teacher → teacher: denied

OK: students and global users cannot read their own passwords. That is not required by this bug, but has already been like this before. This is not a regression. If this behavior is not desired, please open a new bug.

WAIT: all good so far, will wait until tomorrow for the Jenkins tests.
Comment 5 Daniel Tröder univentionstaff 2020-05-05 10:47:52 CEST
(In reply to Daniel Tröder from comment #4)
> WAIT: all good so far, will wait until tomorrow for the Jenkins tests.
OK: all Jenkins jobs are green
OK. advisory
Comment 6 Ole Schwiegert univentionstaff 2020-07-10 08:37:27 CEST
Publised via Errata Update on the 10.06.2020.

If this bug occurs again please clone this bug.
Comment 7 Florian Best univentionstaff 2020-08-24 13:15:54 CEST
The bug needs to be publicly visible for the CVE assignment.