Bug 41720

Summary: LDAP ACLs: staff is able to modify shares - but should not
Product: UCS@school Reporter: Sönke Schwardt-Krummrich <schwardt>
Component: LDAPAssignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Sönke Schwardt-Krummrich <schwardt>
Severity: normal    
Priority: P5 CC: gohmann
Version: UCS@school 4.1Keywords: interim-2
Target Milestone: UCS@school 4.1 R2 vXXX   
Hardware: Other   
OS: Linux   
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional):
Max CVSS v3 score:
Bug Depends on: 41115    
Bug Blocks: 42065, 43042    

Description Sönke Schwardt-Krummrich univentionstaff 2016-07-03 23:00:58 CEST 
UCS@school staff users are now able to modify shares with new LDAP ACLs:

 dn: cn=Marktplatz,cn=shares,ou=schoolA,dc=nstx,dc=local
+univentionShareWriteable: =wrscxd
-univentionShareWriteable: =rscxd
+univentionShareUid: =wrscxd
-univentionShareUid: =rscxd
+univentionShareSambaWriteable: =wrscxd
-univentionShareSambaWriteable: =rscxd
+univentionShareSambaStrictLocking: =wrscxd
-univentionShareSambaStrictLocking: =rscxd
+univentionShareSambaSecurityMode: =wrscxd
-univentionShareSambaSecurityMode: =rscxd
+univentionShareSambaPublic: =wrscxd
-univentionShareSambaPublic: =rscxd
+univentionShareSambaOplocks: =wrscxd
-univentionShareSambaOplocks: =rscxd
+univentionShareSambaNtAclSupport: =wrscxd
-univentionShareSambaNtAclSupport: =rscxd
+univentionShareSambaName: =wrscxd
[...]

Everything else for staff users seems to be ok.

+++ This bug was initially created as a clone of Bug #41115 +++
Comment 1 Florian Best univentionstaff 2016-07-04 12:29:56 CEST 
ucs-school-ldap-acls-master (14.0.1-6):
r70787 | Bug #41720: adjust joinscript version
r70786 | Bug #41720: staff only users should not be able to modify shares

ucs-school-ldap-acls-master.yaml:
r70788 | YAML Bug #41720

Package: ucs-school-ldap-acls-master
Version: 14.0.1-6.75.201607041226
Branch: ucs_4.1-0
Scope: ucs-school-4.1r2
Comment 2 Sönke Schwardt-Krummrich univentionstaff 2016-07-08 12:36:51 CEST 
OLD:
(|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator) 
  (objectClass=ucsschoolStaff)
)

NEW:
(|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator) 
  (&(objectClass=ucsschoolTeacher)(objectClass=ucsschoolStaff))
)

If I'm not mistaken, there is now redundancy in the search filter.
→ (|(objectClass=ucsschoolTeacher)(objectClass=ucsschoolAdministrator))
  should be sufficient

REOPEN: code change
OK: YAML
Comment 3 Florian Best univentionstaff 2016-07-08 15:49:37 CEST 
You are right.

ucs-school-ldap-acls-master (14.0.1-8):
r70904 | Bug #41720: simplify filter
Comment 4 Sönke Schwardt-Krummrich univentionstaff 2016-08-08 14:16:05 CEST 
OK: code change
OK: functional test
OK: YAML
Comment 5 Sönke Schwardt-Krummrich univentionstaff 2016-08-08 14:30:09 CEST 
Back to RESOLVED for additional ucs-test scripts.
Comment 6 Sönke Schwardt-Krummrich univentionstaff 2016-08-18 17:21:28 CEST 
(In reply to Sönke Schwardt-Krummrich from comment #5)
> Back to RESOLVED for additional ucs-test scripts.

ucs-test-ucsschool (3.0.14-5):
r71727 | Bug #41720: check if users are able to read but not able to modify shares objects
Comment 7 Sönke Schwardt-Krummrich univentionstaff 2016-08-19 14:32:49 CEST 
UCS@school 4.1 R2 v4 has been released.

http://docs.software-univention.de/changelog-ucsschool-4.1R2v4-de.html

If this error occurs again, please clone this bug.