[7992] in bugtraq
Re: NMRC Advisory - Default NDS Rights
daemon@ATHENA.MIT.EDU (M. Baker)
Sun Sep 20 01:17:36 1998
Date: Sun, 20 Sep 1998 14:03:45 +1000
Reply-To: mbaker@COMTECH.COM.AU
From: "M. Baker" <mbaker@COMTECH.COM.AU>
X-To: Simple Nomad <thegnome@NMRC.ORG>
To: BUGTRAQ@NETSPACE.ORG
Very true.
Everyone get's [B]rowse object rights from the fact that they are included
as a member of the [PUBLIC] trustee which covers everyone authenticated and
those that are not. Your workaround was a little inaccurate. Just removing
the [PUBLIC] trustee as a trustee of [Root] will remove NDS functionality
of your users. What I suggest to most people is that they remove the
[PUBLIC] trustee and then make [Root] a trustee of itself and then give
[Root] Browse rights to itself. This gives users the ability to browse the
tree, not loose any functionality. Now they have to authenticate to see the
tree rather than just attaching.
Hope this clears things up.
BTW I wouldn't class this as a security problem, depending on your site you
may want [PUBLIC] to be a trustee of [ROOT] if you don't want that do what
I stated above.
Michael
