diff options
author | Guilhem Moulin <guilhem.moulin@fripost.org> | 2013-01-30 03:20:08 +0100 |
---|---|---|
committer | Guilhem Moulin <guilhem.moulin@fripost.org> | 2013-01-30 03:20:08 +0100 |
commit | 73c7ba4d856553706528bf2a3ae91a82fa121c10 (patch) | |
tree | 5b2e61019f198bd9290d69cb9298ac78840801ce /ldap | |
parent | 76b3e15f27cb2c3710e06f8cc74f95809d2a45ad (diff) |
Prevent the WebApp from modifying the user passwords.
Diffstat (limited to 'ldap')
-rw-r--r-- | ldap/acl.ldif | 11 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 10 |
2 files changed, 18 insertions, 3 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 5cc0ef0..970799a 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -45,12 +45,17 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc attrs=entry,objectClass,authzTo by realanonymous =x # -# 1. Anonymous users can bind. -# 2. Users can change their password (but not read it). -# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it). +# 1. The WebPanel itself cannot bind, read or write passwords. This +# guarantees that, if an attacker gains its priviledge, it will *not* be +# able to change user passwords (which would allow him/her to read every +# emails). This is a trick to tackle the absence of 'realgroup'. +# 2. Anonymous users can bind. +# 3. Users can change their password (but not read it). +# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword + by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0 by realanonymous =xd by realself =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 5e92a3c..544c667 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -1617,6 +1617,16 @@ for U in ${USERS}; do DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z]) slapauth -U "${PANEL}" -X "${DN}" 2>&1 | grep '^authorization ' done | isOK '^authorization failed$' +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on passwords" +for U in ${USERS}; do + DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z]) + for U2 in ${USERS}; do + slapacl -U "${PANEL}" -X "${DN}" -b "${U2},${SUFFIXV}" userPassword 2>&1 | grep '^userPassword: ' + done +done | isOK '=0$' +[ $? -eq 0 ] || exit $? # TODO: is that needed? if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then |