Re: Bypassing Inherited Rights Filters in Novell Directory Services.

2000-09-11T00:00:00
ID SECURITYVULNS:DOC:662
Type securityvulns
Reporter Securityvulns
Modified 2000-09-11T00:00:00

Description

At 07:24 PM 9/7/2000 -0700, you wrote: >Here's an example. An administrator, .BOB.ACME, has Supervisor [S] rights to >the .ACME container. There is a container, .SECRET.ACME, which BOB should not >have any access to.

If you understood NDS sufficiently, you wouldn't give Bob [S] rights to a container where you need to keep him from objects under that container. Regardless of what you do, Bob has [S] rights that you granted him, and those rights can be applied...as in giving himself or any other user access to objects within that container. How is that a bug?

Not that I know NDS inside and out or anything...but give [W] Write rights (or any other rights), you can take them away further down the tree...Give [S] rights, that gives a user the ability to change rights on objects within that container. I don't see this as a bug, but perhaps as a mis-understanding of how NDS works.


The single most effective thing you can do to protect yourself on the Internet...Never use Microsoft products or protocols.

Increase your Win98 system speed, stability, and security. Remove IE. http://www.98lite.net