aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-30 03:20:08 +0100
committerGuilhem Moulin <guilhem.moulin@fripost.org>2013-01-30 03:20:08 +0100
commit73c7ba4d856553706528bf2a3ae91a82fa121c10 (patch)
tree5b2e61019f198bd9290d69cb9298ac78840801ce
parent76b3e15f27cb2c3710e06f8cc74f95809d2a45ad (diff)
Prevent the WebApp from modifying the user passwords.
-rw-r--r--ldap/acl.ldif11
-rwxr-xr-xldap/test-user-acl.sh10
2 files changed, 18 insertions, 3 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 5cc0ef0..970799a 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -45,12 +45,17 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
attrs=entry,objectClass,authzTo
by realanonymous =x
#
-# 1. Anonymous users can bind.
-# 2. Users can change their password (but not read it).
-# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it).
+# 1. The WebPanel itself cannot bind, read or write passwords. This
+# guarantees that, if an attacker gains its priviledge, it will *not* be
+# able to change user passwords (which would allow him/her to read every
+# emails). This is a trick to tackle the absence of 'realgroup'.
+# 2. Anonymous users can bind.
+# 3. Users can change their password (but not read it).
+# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it).
olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
filter=(objectClass=FripostVirtualUser)
attrs=userPassword
+ by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0
by realanonymous =xd
by realself =w
by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 5e92a3c..544c667 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -1617,6 +1617,16 @@ for U in ${USERS}; do
DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z])
slapauth -U "${PANEL}" -X "${DN}" 2>&1 | grep '^authorization '
done | isOK '^authorization failed$'
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access on passwords"
+for U in ${USERS}; do
+ DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z])
+ for U2 in ${USERS}; do
+ slapacl -U "${PANEL}" -X "${DN}" -b "${U2},${SUFFIXV}" userPassword 2>&1 | grep '^userPassword: '
+ done
+done | isOK '=0$'
+[ $? -eq 0 ] || exit $?
# TODO: is that needed?
if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then