Bug 14585 - LDAP search filter ACL access checks are too strict
Summary: LDAP search filter ACL access checks are too strict
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.13.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-11-27 09:35 UTC by Stefan Metzmacher
Modified: 2024-05-03 02:35 UTC (History)
3 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2020-11-27 09:35:05 UTC
Windows seems to apply search filter after the ACL check.
If a user doesn't have the right to see an attribute, it is simply handled
as if it would not exist at all, when the search filter is applied.

E.g. if the user doesn't have the right to see the samAccountType attribute
the following filter:

'(&(objectCategory=person)(objectSid=*)(!(samAccountType:1.2.840.113556.1.4.804:=3)))'

Will effectively the same as just:

'(&(objectCategory=person)(objectSid=*))'

Samba takes a different strategy, it checks all
attribute names it finds in the search filter and if any
of these attribute is hidden from the user, the whole
object is hidden.
Comment 1 Andrew Bartlett 2024-05-03 02:35:14 UTC
I'm pretty sure this is the new approach after CVE-2023-0614

commit d5d0e71279790fdcf7e72749210b42b2faaa53f7
Author: Jo Sutton <josutton@catalyst.net.nz>
Date:   Fri Mar 3 17:34:29 2023 +1300

    CVE-2023-0614 ldb: Prevent disclosure of confidential attributes
    
    Add a hook, acl_redact_msg_for_filter(), in the aclread module, that
    marks inaccessible any message elements used by an LDAP search filter
    that the user has no right to access. Make the various ldb_match_*()
    functions check whether message elements are accessible, and refuse to
    match any that are not. Remaining message elements, not mentioned in the
    search filter, are checked in aclread_callback(), and any inaccessible
    elements are removed at this point.
    
...