exposing RELAX control on LDAP
Matthieu Patou
mat at samba.org
Sat Jun 5 09:32:02 MDT 2010
On 05/06/2010 16:50, Andrew Bartlett wrote:
> On Sat, 2010-06-05 at 13:30 +0400, Matthieu Patou wrote:
>
>> Hello endi,
>>
>> I just noticed today that you made the relax control exposed on LDAP,
>> I'm a bit worried about this as we tend to use this control maybe too
>> often and I have the impression that it can be a security risk.
>>
>> My first question to simo or andrew b. is am I over reacting ? Is there
>> possibly a threat ?
>>
> Yes, it's a threat, and while it only allows users who are otherwise
> able to write to mess up the DB, that could be an issue.
>
Yep ! We hardly know what a 'oh he must have already write access to do
so' problem can lead to.
>
>> After comes the following one:
>>
>> I suppose that if you did so it's for a good reason, so can you explain
>> them, can we reduce the range of users that can use it (with ACLs for
>> instance).
>>
> Yes, the code that enabled it is currently needed because of the way we
> process things with the LDAP backend, but we should not permit it to be
> used over LDAP, and it should be restricted to System or the provision.
>
>
Great, I opened a bug request to track this.
I still don't understand why even with the ldap backend we need to
expose this from the outside.
The following request: ldbmodify -H /usr/local/samba/private/sam.ldb
--controls "relax:0" foo.ldif is supposed to work in the correct way
with ldap backend as well no ?
> More of a worry is the 'as system' control, which should be eliminated
> (we need to redesign the code that uses that), and which we need to
> ensure is not exposed over LDAP.
>
What is the name or the OID of this control ?
Matthieu.
--
Matthieu Patou
Samba Team http://samba.org
More information about the samba-technical
mailing list