ldap/servers/slapd/fedse.c | 1
2 files changed, 105 insertions(+), 1 deletion(-)
New commits:
commit 250a49d9f653a0ec64cfcd6343e9e31ed9f6e4e3
Author: William Brown <firstyear@redhat.com>
Date: Tue Jun 21 11:40:01 2016 +1000
Ticket 48893 - cn=config should not have readable components to anonymous
Bug Description: cn=snmp,cn=config shouldn't be readable to anonymous by
default.
Fix Description: Remove the allowing acl, and add a test to demonstrate there
is no cn=config elements readable.
https://fedorahosted.org/389/ticket/48893
Author: wibrown
Review by: nhosoi (Thank you very much!!)
diff --git a/dirsrvtests/tests/tickets/ticket48893_test.py b/dirsrvtests/tests/tickets/ticket48893_test.py
new file mode 100644
index 0000000..76d9dc9
--- /dev/null
+++ b/dirsrvtests/tests/tickets/ticket48893_test.py
@@ -0,0 +1,105 @@
+import os
+import sys
+import time
+import ldap
+import logging
+import pytest
+from lib389 import DirSrv, Entry, tools, tasks
+from lib389.tools import DirSrvTools
+from lib389._constants import *
+from lib389.properties import *
+from lib389.tasks import *
+from lib389.utils import *
+
+DEBUGGING = False
+
+if DEBUGGING:
+ logging.getLogger(__name__).setLevel(logging.DEBUG)
+else:
+ logging.getLogger(__name__).setLevel(logging.INFO)
+
+
+log = logging.getLogger(__name__)
+
+
+class TopologyStandalone(object):
+ """The DS Topology Class"""
+ def __init__(self, standalone):
+ """Init"""
+ standalone.open()
+ self.standalone = standalone
+
+
+@pytest.fixture(scope="module")
+def topology(request):
+ """Create DS Deployment"""
+
+ # Creating standalone instance ...
+ if DEBUGGING:
+ standalone = DirSrv(verbose=True)
+ else:
+ standalone = DirSrv(verbose=False)
+ args_instance[SER_HOST] = HOST_STANDALONE
+ args_instance[SER_PORT] = PORT_STANDALONE
+ args_instance[SER_SERVERID_PROP] = SERVERID_STANDALONE
+ args_instance[SER_CREATION_SUFFIX] = DEFAULT_SUFFIX
+ args_standalone = args_instance.copy()
+ standalone.allocate(args_standalone)
+ instance_standalone = standalone.exists()
+ if instance_standalone:
+ standalone.delete()
+ standalone.create()
+ standalone.open()
+
+ def fin():
+ """If we are debugging just stop the instances, otherwise remove
+ them
+ """
+ if DEBUGGING:
+ standalone.stop(60)
+ else:
+ standalone.delete()
+
+ request.addfinalizer(fin)
+
+ # Clear out the tmp dir
+ standalone.clearTmpDir(__file__)
+
+ return TopologyStandalone(standalone)
+
+
+def _attr_present(conn):
+ results = conn.search_s('cn=config', ldap.SCOPE_SUBTREE, '(objectClass=*)')
+ if DEBUGGING:
+ print(results)
+ if len(results) > 0:
+ return True
+ return False
+
+def test_ticket48893(topology):
+ """
+ Test that anonymous has NO VIEW to cn=config
+ """
+
+ if DEBUGGING:
+ # Add debugging steps(if any)...
+ pass
+
+ # Do an anonymous bind
+ conn = ldap.initialize("ldap://%s:%s" % (HOST_STANDALONE, PORT_STANDALONE))
+ conn.simple_bind_s()
+
+ # Make sure that we cannot see what's in cn=config as anonymous
+ assert(not _attr_present(conn))
+
+ conn.unbind_s()
+
+ log.info('Test PASSED')
+
+
+if __name__ == '__main__':
+ # Run isolated
+ # -s for DEBUG mode
+ CURRENT_FILE = os.path.realpath(__file__)
+ pytest.main("-s %s" % CURRENT_FILE)
+
diff --git a/ldap/servers/slapd/fedse.c b/ldap/servers/slapd/fedse.c
index 9f6749d..67b9609 100644
--- a/ldap/servers/slapd/fedse.c
+++ b/ldap/servers/slapd/fedse.c
@@ -111,7 +111,6 @@ static const char *internal_entries[] =
"objectclass:nsSNMP\n"
"cn:SNMP\n"
"nsSNMPEnabled: on\n"
- "aci:(target=\"ldap:///cn=SNMP,cn=config\")(targetattr !=\"aci\")(version 3.0;acl \"snmp\";allow (read, search, compare)(userdn = \"ldap:///anyone\");)\n",
};
static int NUM_INTERNAL_ENTRIES = sizeof(internal_entries)/sizeof(internal_entries[0]);
_______________________________________________
389-commits mailing list -- 389-commits@lists.fedoraproject.org
To unsubscribe send an email to 389-commits-leave@lists.fedoraproject.org
No comments:
Post a Comment