[16694] in bugtraq
Re: Bypassing Inherited Rights Filters in Novell Directory
daemon@ATHENA.MIT.EDU (Bob Fiero)
Mon Sep 11 02:49:03 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Message-Id: <4.3.2.7.2.20000910130030.00b3a230@binary.mentalfloss.net>
Date: Sun, 10 Sep 2000 13:10:23 -0400
Reply-To: Bob Fiero <bfiero@MENTALFLOSS.NET>
From: Bob Fiero <bfiero@MENTALFLOSS.NET>
X-To: FogHorn Security <info@FOGHORNSECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <00090719245201.30669@zion>
At 07:24 PM 9/7/2000 -0700, you wrote:
>Here's an example. An administrator, .BOB.ACME, has Supervisor [S] rights to
>the .ACME container. There is a container, .SECRET.ACME, which BOB should not
>have any access to.
If you understood NDS sufficiently, you wouldn't give Bob [S] rights to a
container where you need to keep him from objects under that container.
Regardless of what you do, Bob has [S] rights that you granted him, and
those rights can be applied...as in giving himself or any other user access
to objects within that container. How is that a bug?
Not that I know NDS inside and out or anything...but give [W] Write rights
(or any other rights), you can take them away further down the tree...Give
[S] rights, that gives a user the ability to change rights on objects
within that container. I don't see this as a bug, but perhaps as a
mis-understanding of how NDS works.
---
The single most effective thing you can do to protect yourself on the
Internet...Never use Microsoft products or protocols.
Increase your Win98 system speed, stability, and security. Remove IE.
http://www.98lite.net
