T 3.51 Errors in the assignment of access rights in Novell eDirectory

Since eDirectory contains a host of sensitive data of the system users and resources and, furthermore, there is a close relationship to the underlying operating system, the assignment of access rights to the eDirectory is of particular importance.

The access rights to eDirectory objects are assigned using so-called access control lists (ACLs). Here, there are access rights to the eDirectory object itself and access rights to individual attributes of an object.

At an object level, the following rights (privileges) must be assigned: browse, create, delete, rename, and supervisor. At an attribute level, these include: compare, read, add or delete self, write, supervisor, and inheritance control. Here, compare is treated as a part of the Read privilege, i.e. if the Read privilege has been assigned, is the compare privilege is automatically assigned.

The access control lists themselves are attributes (properties) for the respective eDirectory objects. The access rights to eDirectory objects are inherited by default from parent objects to their child objects in the tree hierarchy. In order to prevent the occurrence of interruptions of the inheritance mechanism by partitioning the eDirectory directory, an inherited ACL is attached to the root object of the partition. The inheritance can be influenced with the help of so-called masks or inherited rights filters.

The access rights at an attribute level are not forwarded along the directory hierarchy by default. However, this may be configured using the attribute right inheritance control. This can be used to control the particularly critical self privilege as well.

The access rights are assigned expressly with the help of so-called trustee instructions. In doing so, the access rights (privileges) to the target object (target) are entered directly into the ACL of the target object with the help of other eDirectory objects (users, user groups, services, applications, servers, etc.).

Furthermore, access rights may be assigned indirectly with the help of so-called security equivalences. Example: Target object X contains (at least) the same access options as target object Y, i.e. the trustees of object Y automatically become trustees of object X. This is also configured as ACL entry of object X.

Within the framework of an actual eDirectory access, the so-called efficient rights are always determined, i.e. the final result of the configurations described above.

This variety of configuration options for the eDirectory access rights entails the risk of inconsistent or incorrect access options being assigned. If the access rights were assigned incorrectly in the eDirectory, the security of the overall system will be significantly threatened as a result. This concerns the confidentiality and the integrity of data and may open possible backdoors for wide-ranging attacks on the system.

Another particularly critical aspect includes the assignment of the administration rights. eDirectory allows implementation of a role-based administration concept or delegation of individual administrative tasks by assigning the corresponding access rights. If these rights are assigned incorrectly, the entire administration concept is challenged and it may also be possible that the administration of the directory system is blocked.