Extended request in kludge acl
Nadezhda Ivanova
nivanova at samba.org
Fri Jul 9 02:56:40 MDT 2010
And again I disagree. It has the potential to be misused and I dont like it.
I'll think some more on how we can reconcile the issue.
Regards,
Nadya
On Thu, Jul 8, 2010 at 8:38 PM, Matthias Dieter Wallnöfer <mdw at samba.org>wrote:
> Hi Nadya,
>
> I've tried to introduce the user <-> message equal DN check but didn't had
> in mind that also other authorized users (with the change permission set -
> as the default Administrator) can call "samr_ChangePasswordUser" (as it's
> with the standard LDAP user-password change). Therefore tests broke and I
> had to revert.
> Then I thought about the behaviour that every one can change other people's
> password. And no, this isn't a security leak since you have to know the old
> password. And then it is just the same if you login with the other user
> credentials (username and the old password you know) and then perform the
> password change.
>
> I really think we need to apply the short (first) version.
>
> Greets,
> Matthias
>
> Nadezhda Ivanova wrote:
>
>> Hi Andrew,
>> We had some discussion with Matthias on IRC, and we came up with 3 ways to
>> solve the problem.
>> One way is to keep the control and apply the patch as it is. I really do
>> not like it because of reasons listed in previous mails. Another is to use
>> an extended operation, which would complicate things and is yet another way
>> to bypass security checks.
>> The third way, which I am most in favor of, is for the samr to actually
>> start providing both passwords on a password change, so we can use the
>> standard flow of things. It just seems wrong to me to use sambd_set_password
>> instead of a function that will provide both, and then introduce internal
>> hacks to handle the problem.
>>
>> What do you think?
>>
>> Regards,
>> Nadya
>>
>> On Thu, Jul 8, 2010 at 10:45 AM, Matthias Dieter Wallnöfer <mdw at samba.org<mailto:
>> mdw at samba.org>> wrote:
>>
>> Could we discuss this on IRC with Andrew?
>>
>> Matthias
>>
>> Nadezhda Ivanova wrote:
>>
>> Hi Matthias,
>> I thought some more about the patch and I have missed
>> something very important.
>> This patch makes it so given the control we actually execute a
>> reset operation with the permissions of a change operation.
>> However, every user account actually is given permission to
>> change every other accoun't password. There is an ACE that
>> comes from the defaultSd that gives this right to EVERYONE.
>> The only thing that we count on after that is that the user
>> knows the correct old password to verify identity. With the
>> replace its different, permission has to be granted. So what
>> you are proposing is to essentially allow everyone to reset a
>> user's password with samr, which worries me A LOT. Maybe there
>> is something I am missing on the samr side.
>>
>> Sorry I did not think of this earlier...
>>
>> Regards,
>> Nadya
>>
>>
>> On Thu, Jul 8, 2010 at 10:20 AM, Matthias Dieter Wallnöfer
>> <mdw at samba.org <mailto:mdw at samba.org> <mailto:mdw at samba.org
>>
>> <mailto:mdw at samba.org>>> wrote:
>>
>> Andrew,
>>
>> Andrew Bartlett wrote:
>>
>> On Thu, 2010-07-08 at 08:12 +0200, Matthias Dieter
>> Wallnöfer
>> wrote:
>> The approach you suggest would also work, but would
>> not have
>> as strict a
>> control over the transaction, as you would not be in the
>> transaction
>> when the old pw was checked. (I'm not sure this
>> matters in
>> practice,
>> given you could have the same race on multiple DCs anyway).
>>
>> Well, we have only one search/read request and then one modify
>> one. I think it should be safe to split them up in two distinct
>> transactions since the latter one (mainly the code in
>> "password_hash" module) has to be performed in an atomic
>> manner.
>>
>> Like the AS_SYSTEM control, this control is a little
>> dangerous, and
>> would have to be carefully restricted. Please ensure
>> the kpasswd
>> password change code handles this too.
>>
>> The control is strictly private. You cannot set it over the
>> LDAP
>> protocol. But anyway I'm fine to rechange the code when we do
>> support extended operations ACLs. The kpasswd patch does
>> naturally
>> also exist - it's here:
>>
>> http://repo.or.cz/w/Samba/mdw.git/commitdiff/11f24a9a72d4c47359662ee5ba63433ac11e4b2c
>> .
>>
>> The code was tested manually and by "make test" and it does
>> work.
>> I hope you are fine about pushing it.
>>
>> Matthias
>>
>>
>>
>>
>>
>
More information about the samba-technical
mailing list