Extended request in kludge acl

Nadezhda Ivanova nivanova at samba.org
Thu Jul 8 01:38:33 MDT 2010


Hi Matthias,
I thought some more about the patch and I have missed something very
important.
This patch makes it so given the control we actually execute a reset
operation with the permissions of a change operation. However, every user
account actually is given permission to change every other accoun't
password. There is an ACE that comes from the defaultSd that gives this
right to EVERYONE. The only thing that we count on after that is that the
user knows the correct old password to verify identity. With the replace its
different, permission has to be granted. So what you are proposing is to
essentially allow everyone to reset a user's password with samr, which
worries me A LOT. Maybe there is something I am missing on the samr side.

Sorry I did not think of this earlier...

Regards,
Nadya


On Thu, Jul 8, 2010 at 10:20 AM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:

> Andrew,
>
> Andrew Bartlett wrote:
>
>> On Thu, 2010-07-08 at 08:12 +0200, Matthias Dieter Wallnöfer wrote:
>>   The approach you suggest would also work, but would not have as strict a
>> control over the transaction, as you would not be in the transaction
>> when the old pw was checked.   (I'm not sure this matters in practice,
>> given you could have the same race on multiple DCs anyway).
>>
>>
> Well, we have only one search/read request and then one modify one. I think
> it should be safe to split them up in two distinct transactions since the
> latter one (mainly the code in "password_hash" module) has to be performed
> in an atomic manner.
>
>  Like the AS_SYSTEM control, this control is a little dangerous, and
>> would have to be carefully restricted.  Please ensure the kpasswd
>> password change code handles this too.
>>
>>
> The control is strictly private. You cannot set it over the LDAP protocol.
> But anyway I'm fine to rechange the code when we do support extended
> operations ACLs. The kpasswd patch does naturally also exist - it's here:
> http://repo.or.cz/w/Samba/mdw.git/commitdiff/11f24a9a72d4c47359662ee5ba63433ac11e4b2c
> .
>
> The code was tested manually and by "make test" and it does work. I hope
> you are fine about pushing it.
>
> Matthias
>
>


More information about the samba-technical mailing list