diff options
-rw-r--r-- | ldap/acl.ldif | 11 | ||||
-rwxr-xr-x | ldap/test-user-acl.sh | 10 |
2 files changed, 18 insertions, 3 deletions
diff --git a/ldap/acl.ldif b/ldap/acl.ldif index 5cc0ef0..970799a 100644 --- a/ldap/acl.ldif +++ b/ldap/acl.ldif @@ -45,12 +45,17 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc attrs=entry,objectClass,authzTo by realanonymous =x # -# 1. Anonymous users can bind. -# 2. Users can change their password (but not read it). -# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it). +# 1. The WebPanel itself cannot bind, read or write passwords. This +# guarantees that, if an attacker gains its priviledge, it will *not* be +# able to change user passwords (which would allow him/her to read every +# emails). This is a trick to tackle the absence of 'realgroup'. +# 2. Anonymous users can bind. +# 3. Users can change their password (but not read it). +# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it). olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$" filter=(objectClass=FripostVirtualUser) attrs=userPassword + by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0 by realanonymous =xd by realself =w by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh index 5e92a3c..544c667 100755 --- a/ldap/test-user-acl.sh +++ b/ldap/test-user-acl.sh @@ -1617,6 +1617,16 @@ for U in ${USERS}; do DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z]) slapauth -U "${PANEL}" -X "${DN}" 2>&1 | grep '^authorization ' done | isOK '^authorization failed$' +[ $? -eq 0 ] || exit $? + +msg "Have =0 access on passwords" +for U in ${USERS}; do + DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z]) + for U2 in ${USERS}; do + slapacl -U "${PANEL}" -X "${DN}" -b "${U2},${SUFFIXV}" userPassword 2>&1 | grep '^userPassword: ' + done +done | isOK '=0$' +[ $? -eq 0 ] || exit $? # TODO: is that needed? if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then |