Role Based Services (rbs) Rights To Root

Full Version: Role Based Services (rbs) Rights To Root

GovernmentSecurity.org > The Archives > Exploit Articles

qcred11

Apr 28 2004, 06:56 PM

QUOTE

Role Based Services (RBS) rights to ROOT
fact

eDirectory 8.7
symptom

Users have too many administrative rights/privileges in eDirectory.
cause

RBS assigns eDirectory trustee assignments to Root which may be higher than the minimum required to complete a task OR the rights do not target the resource to be managed directly.
change

Users added to Roles may report or perform administration tasks which they are not supposed to.

Note that when viewing Roles in iManager, the "Rights Advisory" column indicates when Supervisor rights are granted for a role.

Below is a list of the rights assignments which RBS grants to the ROOT object. This list will differ based on eDirectory version, product installation or manual configuration.

Entry: B=Browse, A=Add/Create, D=Delete, R=Rename S=Supervisor
Attribute: C=Compare, R=Read,W=Write,A=Add Self, I=Inheritable,S=Supervisor

Trustees with Admin Rights on "[Root]" ...
[BAD ] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "[Entry Rights]"
[ AI] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "memberQuery"
[ AI] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "Member"
[ AI] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "excludedMember"
[ AI] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "dgIdentity"
[ AI] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "dgAllowDuplicates"
[ AI] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "dgAllowUnknown"
[ AI] CN=[root].CN=Dynamic Group Management.CN=Test RBS.O=novell / "dgTimeOut"
[BADRS ] CN=[root].CN=eDirectory Administration.CN=Test RBS.O=novell / "[Entry Rights]"
[ AI] CN=[root].CN=eGuide Org Chart Management.CN=Test RBS.O=novell / "isManager"
[ AI] CN=[root].CN=eGuide Org Chart Management.CN=Test RBS.O=novell / "manager"
[ AI] CN=[root].CN=eGuide User Management.CN=Test RBS.O=novell / "Title"
[ AI] CN=[root].CN=eGuide User Management.CN=Test RBS.O=novell / "Password Management"
[BAD ] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "[Entry Rights]"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "CN"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "Owner"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "L"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "OU"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "O"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "Description"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "Security Equals"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "Equivalent To Me"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "See Also"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "Member"
[ AI] CN=[root].CN=Group Management.CN=Test RBS.O=novell / "Group Membership"
[BA ] CN=[root].CN=Help Desk Management.CN=Test RBS.O=novell / "[Entry Rights]"
[ AI] CN=[root].CN=Help Desk Management.CN=Test RBS.O=novell / "Locked By Intruder"
[ AI] CN=[root].CN=Help Desk Management.CN=Test RBS.O=novell / "Login Intruder Attempts"
[ AI] CN=[root].CN=Help Desk Management.CN=Test RBS.O=novell / "Password Management"
[BA S ] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "[Entry Rights]"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "Description"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "L"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "Resource Mgmt Service Enabled"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "Notification Service Enabled"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "Registry Service Enabled"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "NDPS Control Flags"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "NDPS Default Printer"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "NDPS Default Public Printer"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "NDPS Printer Install List"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "NDPS Printer Install Timestamp"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "NDPS Public Printer Install List"
[ AI] CN=[root].CN=iPrint Management.CN=Test RBS.O=novell / "NDPS Replace All Client Printers"
[ AI] CN=[root].CN=LDAP Management.CN=Test RBS.O=novell / "LDAP Server List"
[BAD ] CN=[root].CN=LDAP Management.CN=Test RBS.O=novell / "[Entry Rights]"
[BAD ] CN=[root].CN=naudit_Managment.CN=Test RBS.O=novell / "[Entry Rights]"
[ A ] CN=[root].CN=naudit_Managment.CN=Test RBS.O=novell / "[All Attributes Rights]"
[ AI] CN=[root].CN=NetStorage Management.CN=Test RBS.O=novell / "Password Management"
[ AI] CN=[root].CN=NMAS Management.CN=Test RBS.O=novell / "sasAuthorizedLoginSequences"
[ AI] CN=[root].CN=NMAS Management.CN=Test RBS.O=novell / "sasDefaultLoginSequence"
[ AI] CN=[root].CN=NMAS Management.CN=Test RBS.O=novell / "SAS:Login Configuration"
[ AI] CN=[root].CN=NMAS Management.CN=Test RBS.O=novell / "Password Management"
[ AI] CN=[root].CN=NMAS Management.CN=Test RBS.O=novell / "nspmConfigurationOptions"
[ AI] CN=[root].CN=Novell Certificate Server Management.CN=Test RBS.O=novell / "NDSPKI:userCertificateInfo"
[ AI] CN=[root].CN=Novell Certificate Server Management.CN=Test RBS.O=novell / "SAS:SecretStore"
[ AI] CN=[root].CN=Novell Certificate Server Management.CN=Test RBS.O=novell / "userCertificate"
[ AI] CN=[root].CN=Novell Certificate Server Management.CN=Test RBS.O=novell / "NDSPKI:Public Key Certificate"
[ AI] CN=[root].CN=Novell Certificate Server Management.CN=Test RBS.O=novell / "NDSPKI:Certificate Chain"
[BAD S ] CN=[root].CN=Partition and Replica Management.CN=Test RBS.O=novell / "[Entry Rights]"
[BAD ] CN=[root].CN=SNMP Management.CN=Test RBS.O=novell / "[Entry Rights]"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Given Name"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Full Name"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Initials"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Surname"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Generational Qualifier"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "CN"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Title"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Internet EMail Address"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Telephone Number"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Facsimile Telephone Number"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "L"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "OU"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Description"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Language"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Network Address"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Message Server"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Home Directory"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "SA"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Postal Office Box"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Physical Delivery Office Name"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "S"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Postal Code"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Postal Address"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Group Membership"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Member"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Security Equals"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Equivalent To Me"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Password Allow Change"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Password Required"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Password Minimum Length"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Password Expiration Interval"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Grace Remaining"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Password Expiration Time"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Password Unique Required"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Grace Limit"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Disabled"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Expiration Time"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Maximum Simultaneous"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Time"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Allowed Time Map"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Network Address Restriction"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Account Balance"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Allow Unlimited Credit"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Minimum Account Balance"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Locked By Intruder"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Login Script"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Profile"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "See Also"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "Password Management"
[BAD ] CN=[root].CN=User Management.CN=Test RBS.O=novell / "[Entry Rights]"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "sasDefaultLoginSequence"
[ AI] CN=[root].CN=User Management.CN=Test RBS.O=novell / "sasAuthorizedLoginSequences"
[ AI] CN=[root].CN=WAN Traffic Management.CN=Test RBS.O=novell / "Member"
[BAD S ] CN=[root].CN=WAN Traffic Management.CN=Test RBS.O=novell / "[Entry Rights]te.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.