On Sat, Mar 05, 2005 at 09:01:44PM +0100, Petter Reinholdtsen wrote: > > Now the problem is that we need slapd to do this: > > > > members in group A can read/write to certain attributes of entries in > > group B. > > members in group C can read/write to certain attributes of entries in > > group A and B and C. > > > > So we filter both the subject and the object of our ACL based on > > group membership. > > Would it be ok for the users with extra rights to be able to modify > the passwords of _all_ users, or should the extra rights be limited to > the pupils only? In short, should the junior admins be allowed to > change the password of teachers, admins and junior admins in addition > to changing the password of pupils, or should they only have access to > changing passwords for pupils? > > I suspect it might be easier to allow junior admins to change > passwords of _all_ users. What do you think?
that would open the door to a trivial privilige escalation attack: the jradmin could change the password of an admin in group Admins and log in as admin and become root. this could not be easily avoided with further ACLs, i think, since it is the same problem as before, but backwards. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
