exposing RELAX control on LDAP

Andrew Bartlett abartlet at samba.org
Sat Jun 5 06:50:20 MDT 2010


On Sat, 2010-06-05 at 13:30 +0400, Matthieu Patou wrote:
> Hello endi,
> 
> I just noticed today that you made the relax control exposed on LDAP, 
> I'm a bit worried about this as we tend to use this control maybe too 
> often and I have the impression that it can be a security risk.
> 
> My first question to simo or andrew b. is  am I over reacting ? Is there 
> possibly a threat ?

Yes, it's a threat, and while it only allows users who are otherwise
able to write to mess up the DB, that could be an issue. 

> After comes the following one:
> 
> I suppose that if you did so it's for a good reason, so can you explain 
> them, can we reduce the range of users that can use it (with ACLs for 
> instance).

Yes, the code that enabled it is currently needed because of the way we
process things with the LDAP backend, but we should not permit it to be
used over LDAP, and it should be restricted to System or the provision. 

More of a worry is the 'as system' control, which should be eliminated
(we need to redesign the code that uses that), and which we need to
ensure is not exposed over LDAP. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100605/9b1239cf/attachment.pgp>


More information about the samba-technical mailing list