From 73c7ba4d856553706528bf2a3ae91a82fa121c10 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem.moulin@fripost.org>
Date: Wed, 30 Jan 2013 03:20:08 +0100
Subject: Prevent the WebApp from modifying the user passwords.

---
 ldap/acl.ldif         | 11 ++++++++---
 ldap/test-user-acl.sh | 10 ++++++++++
 2 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/ldap/acl.ldif b/ldap/acl.ldif
index 5cc0ef0..970799a 100644
--- a/ldap/acl.ldif
+++ b/ldap/acl.ldif
@@ -45,12 +45,17 @@ olcAccess: to dn.exact="cn=AdminWebPanel,ou=services,o=mailHosting,dc=fripost,dc
         attrs=entry,objectClass,authzTo
     by realanonymous =x
 #
-# 1. Anonymous users can bind.
-# 2. Users can change their password (but not read it).
-# 3. The postmaster of a domain can change (replace) his/her users' password (but not read it).
+# 1. The WebPanel itself cannot bind, read or write passwords. This
+# guarantees that, if an attacker gains its priviledge, it will *not* be
+# able to change user passwords (which would allow him/her to read every
+# emails). This is a trick to tackle the absence of 'realgroup'.
+# 2. Anonymous users can bind.
+# 3. Users can change their password (but not read it).
+# 4. The postmaster of a domain can change (replace) his/her users' password (but not read it).
 olcAccess: to dn.regex="^fvl=[^,]+,(fvd=[^,]+,ou=virtual,o=mailHosting,dc=fripost,dc=dev)$"
         filter=(objectClass=FripostVirtualUser)
         attrs=userPassword
+    by realdn.exact="uid=AdminWebPanel@fripost.org,cn=auth" =0
     by realanonymous =xd
     by realself =w
     by group/FripostVirtualDomain/fripostPostmaster.expand="$1" =w
diff --git a/ldap/test-user-acl.sh b/ldap/test-user-acl.sh
index 5e92a3c..544c667 100755
--- a/ldap/test-user-acl.sh
+++ b/ldap/test-user-acl.sh
@@ -1617,6 +1617,16 @@ for U in ${USERS}; do
     DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z])
     slapauth -U "${PANEL}" -X "${DN}" 2>&1 | grep '^authorization '
 done | isOK '^authorization failed$'
+[ $? -eq 0 ] || exit $?
+
+msg "Have =0 access on passwords"
+for U in ${USERS}; do
+    DN=$(echo "dn:${U},${SUFFIXV}" | tr [A-Z] [a-z])
+    for U2 in ${USERS}; do
+        slapacl -U "${PANEL}" -X "${DN}" -b "${U2},${SUFFIXV}" userPassword 2>&1 | grep '^userPassword: '
+    done
+done | isOK '=0$'
+[ $? -eq 0 ] || exit $?
 
 # TODO: is that needed?
 if test -x /usr/bin/sudo && sudo -u fpanel klist >/dev/null; then
-- 
cgit v1.2.3