Re: [ldapext] Using groupOfNames (or similar) for UNIX groups and netgroups (was Re: DBIS commentary)

Jordan Brown <Jordan.Brown@oracle.com> Wed, 02 December 2015 18:09 UTC

Return-Path: <Jordan.Brown@oracle.com>
X-Original-To: ldapext@ietfa.amsl.com
Delivered-To: ldapext@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB3041ACDD1 for <ldapext@ietfa.amsl.com>; Wed, 2 Dec 2015 10:09:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0p5hB047BXvB for <ldapext@ietfa.amsl.com>; Wed, 2 Dec 2015 10:09:04 -0800 (PST)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6DE631ACDCE for <ldapext@ietf.org>; Wed, 2 Dec 2015 10:09:04 -0800 (PST)
Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id tB2I933w024124 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Wed, 2 Dec 2015 18:09:03 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id tB2I93ob004796 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Wed, 2 Dec 2015 18:09:03 GMT
Received: from abhmp0006.oracle.com (abhmp0006.oracle.com [141.146.116.12]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id tB2I92Av005769; Wed, 2 Dec 2015 18:09:02 GMT
Received: from [10.159.249.98] (/10.159.249.98) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 02 Dec 2015 10:09:02 -0800
To: Simo Sorce <simo@redhat.com>
References: <5655E4F0.7030809@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F618A3@OZWEX0209N1.msad.ms.com> <565CAC30.6010701@oracle.com> <814F4E458AA9FF4E89CF1A9EDA0DE2A932F8EAFD@OZWEX0209N2.msad.ms.com> <565DDE78.5030908@oracle.com> <1449019308.9040.38.camel@redhat.com> <565E55C3.9080404@oracle.com> <1449076861.9040.56.camel@redhat.com>
From: Jordan Brown <Jordan.Brown@oracle.com>
Message-ID: <565F33B7.4000801@oracle.com>
Date: Wed, 2 Dec 2015 10:08:55 -0800
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 SeaMonkey/2.39
MIME-Version: 1.0
In-Reply-To: <1449076861.9040.56.camel@redhat.com>
Content-Type: multipart/alternative; boundary="------------040505020607040501020002"
X-Source-IP: userv0021.oracle.com [156.151.31.71]
Archived-At: <http://mailarchive.ietf.org/arch/msg/ldapext/S0C6JjXPS1nXfj3SDO6xZAq4hXk>
Cc: "'ldapext@ietf.org'" <ldapext@ietf.org>
Subject: Re: [ldapext] Using groupOfNames (or similar) for UNIX groups and netgroups (was Re: DBIS commentary)
X-BeenThere: ldapext@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <ldapext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ldapext>, <mailto:ldapext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ldapext/>
List-Post: <mailto:ldapext@ietf.org>
List-Help: <mailto:ldapext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ldapext>, <mailto:ldapext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Dec 2015 18:09:07 -0000

On 12/2/2015 9:21 AM, Simo Sorce wrote:
> On Tue, 2015-12-01 at 18:21 -0800, Jordan Brown wrote:
>> [draft-masarati-ldap-deref-00] is indeed very interesting. I don't
>> immediately see how it helps with the type-safety problem, though.
>> Am I missing something?
> The idea is that you can get all data up at once including objectclass
> and then you can simply drop results that do not have the right
> objectclass value.
> It is a little more wasteful than being able to specify a secondary
> filter (that would probably be a great addition to the draft), for the
> search done on the attribute of the group entry, but it is still good
> enough to efficiently get results as well as easily weed off unwanted
> ones.

OK, sure.  (Better still would be to have some way to tell the directory to limit 
the types allowed.)
>> Yes, and I infer that there's corresponding omissions in other parts of the 
>> standard. In the getgrent description, the standard describes omitting this 
>> information on the basis of security restrictions. Omitting the data there 
>> would not help security at all if you could immediately turn around and request 
>> it through getgrname and getgrgid. Meeting the security need would require 
>> having the restrictions in both places. 
> True, but are not doing this for security reasons, we are just taking
> the fact that omissions are permissible as a blanket permission to omit
> results, and clients should be prepared to deal with that.

Right, but the standard describes it in terms of security.

> After all the texts are vague and you could think that the security
> measure expressed here is about not revealing group names.

It explicitly mentions editing the list of members (emphasis added):

http://pubs.opengroup.org/onlinepubs/9699919799/functions/getgrent.html

    An implementation that provides extended security controls may impose further
    implementation-defined restrictions on accessing the group database. In
    particular, the system may deny the existence of some or all of the group
    database entries associated with groups other than those groups associated
    with the caller *and may omit users other than the caller from the list of
    members of groups in database entries that are returned*.


> The fact you can easily scan the whole group ID space is just the
> annoying consequence of the fact most systems do not have a randomized
> ID assignment policy and have a pretty limited ID space at just 32bit of
> size or less. But hey, that's not my fault! :-)

That too, but I was thinking about the list-of-members part... if you have a 
security reason for keeping the list of members hidden, it wouldn't do you any 
good to hide it from getgrent when the caller could then immediately retrieve it 
using getgrgid.

>> We could address it through introducing a new object class (and here I include
>> just grabbing "group" from AD or "groupOfNames" from RFC2307bis-02, not just
>> creating a wholly new one), or by changing the definition.  This is one of those
>> cases where I'd say that breaking formal compatibility might well be appropriate.
> Yes, it would be nice to change the class, because it is forward safe to
> do so, if you created objects when the MUST was in place, nothing breaks
> if you relax the constraint to MAY, at least from the POV of data
> consistency in the directory.
>
> And I never found any software the specifically rely on the fact you
> can't delete the last member attribute from a group for something.
> Actually usually I saw software that had to use workarounds like adding
> the group dn to itself (and concealing the self-reference in the UI)
> when an admin wants to remove the last member but not remove the whole
> group.

The potential problem is a consumer that knows that the "member" attribute MUST be 
present, and freaks out if it isn't.