On Aug 6, 2012, at 1:55 PM, [email protected] wrote:
> Full_Name: Daniel Pluta
> Version: MASTER
> OS: Linux
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (2001:470:9feb:ff03:e455:e36f:5b06:b2f1)
>
>
> The "Enhancement for dnattr=... ACL" we've described within the LDAPcon2011
> paper (http://www.daasi.de/ldapcon2011/downloads/plutahommelweinert-paper.pdf,
> Chapter VI, Section G., pdf page 7, left column bottom) seems to be still very
> useful in our opinion.
>
> We (Peter an me) have discussed the idea behind this enhancement together with
> Howard during dinner the day before the LDAPCon2011 officially started. We
> described the enhancement as some kind of
> "dnattr-based-administrator-less-2-way-handshake-entry-responsibility(-owner)-transition".
>
> Until today ITS#6900 contains a prototypical patch (very dirty hack), to
> demonstrate the described enhancement's mode of operation.
>
> The good news:
> Probably this hack isn't needed anymore in the future and thus ITS#6900 could
> be
> closed, but just in case ...
>
> The bad news:
> ... another (hopefully) less intrusive and generally useful patch, that seems
> to
> be implementable without introducing new keywords can be realized instead:
>
> In http://www.openldap.org/lists/openldap-technical/201208/msg00040.html Kurt
> explained that the acl privilege levels "a" and "z" share one bit with the "w"
> privilege's bit set. Thus currently neither "a" nor "z" can be independently
> substracted from "w" in the way either "z" or "a" remains in the privilege
> set.
> Subtracting "a" or "z" results in removing the complete "w" privilege
> (including
> "a" and "z").
Looking back at the devel discussion about the introduction of a/z privs (April
2005), there seems to have been no consideration of subtractive access
controls. That is, I think the we all just missed the a/z feature was not
implemented in a manner which supported subtractive access controls. Or, more
simply put, whoops.
Using qualifiers was the mistake. Just should of replaced one bit with 2 bits,
with some operations requesting one or the other or both bits.
> In case the bit masks of the privileges "a", "z", and "w" can be separated
> (introducing exclusive masks for ACL_WADD, ACL_WDEL and ACL_WRITE), the
> following acl set offers the above described mode of operation (out-of-the-box
> without the need to apply the hack submitted with ITS#6900):
>
> {0}to dn.base="ou=groups,o=iacm" attrs=children by users write by * none
> {1}to dn.one="ou=groups,o=iacm" attrs=owner by dnattr=owner =dxcsraz
> continue
> by dnattr=modifiersName -z by * none
> {2}to dn.one="ou=groups,o=iacm" attrs=entry,@groupOfNames by dnattr=owner
> write
> by * none
>
> I've not been able to test this acls yet (due to no available hack/patch). At
> least in theory it should represent the mentioned enhancement's mode of
> operation:
> The owner attribute can be modified (add and delete) by any owner, but no
> owner
> can remove himself from the owner attribute to either repudiate his personal
> responsibility for an entry or to produce a dangling entry (an administrator
> needs to clean up), in case it's the last owner.
I'd have to think a bit harder whether the access controls above implement this
properly, but I am sure {1} can be written using non-substractive ACLs. Off
hand, probably requiring two to do it.
> Herewith, the request for a more detailed description of a usecase where
> substractive privileges are of general use should be answered.
The general use case of additive and subtractive ACL is that it sometimes makes
ACLs shorter.
> Additionally I
> also thought about the statement, that "good ACLs" are either static or
> additive:
I think I used the word "should", as in subtractive ACLs should be avoided.
There are likely cases where their use can be well justified, just like default
grant rules can sometimes be well justified. However, many security experts
advise use of explicit grants (=) or additive (+) grants. I generally concur
with this advice.
> I have not been able to find a static or additive ACL solution to
> implement the above described functionality in a similar elegant way (e.g.
> without administratively maintained group patterns)
>
> Alternative 1: (elegant static/additive ACL)
> There possibly exists a solution to express the above described mode of
> operation already nowadays by using static and additive acls only, if so, I
> appreciate any advice.
>
> Alternative 2: (coding the bitmask-separation)
> I have no clue how(h)ard ;-) it is to implement (especially test) a
> successfull
> separation of these bit masks. It was mentioned that the incremental
> processing
> of privileges has been added later and the underlying design could be
> suboptimal. Currently I don't know which pitfalls to be aware of (especially
> in
> and around acl.c). Nevertheless and depending on the answer to alternative 1,
> I'm interessted to give it a try, thus any thoughts and hints are very
> welcome,
> too.
The latter should be the preferred approach, IMO. The question I would have is
wether an implementation of such would have any negative impact upon
deployments. That's a real hard one to access, as deployments do some pretty
crazy things. In short, it comes does to whether anyone does =w continue
followed by -a or -z and expecting the outcome not to z or a respectively.
-- Kurt
>
> Thanks a lot!
>
