Need a change to the ACL code
Andrew Bartlett
abartlet at samba.org
Wed Mar 10 13:24:03 MST 2010
On Mon, 2010-03-08 at 17:58 +0200, Nadezhda Ivanova wrote:
> Hi Andrew,
> It appears I need more help with this one...
> I made the following test against win2008:
> Created an OU with Administrator, gave a regular user permission to create
> users in this OU, but denied permission to modify otherHomePhone - denied
> WRITE_PROPERTY.
> After that, logged as that regular user, created another user in that OU.
> The user was successfully created, and the otherHomePhone was set to the
> value provided.
> I may still be doing something wrong, but filtering/checking per-attribute
> rights on an add operation is not documented anywhere that I could find. Can
> you tell me how to reproduce such issue, even using the MS management tools?
Well, I personally think it's a security hole in windows if you can't
outright ban addition of objects with specified attributes. Imagine
otherHomePhone was instead 'jobTitle' - but that helpdesk was allowed to
add users, but only HR could set job titles?
Anyway, I suppose it's probably a question for dochelp...
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: This is a digitally signed message part
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20100311/7cc1970c/attachment.pgp>
More information about the samba-technical
mailing list