We’ve found a security bug in Notes.
In the ACL of the names.nsf, the default access is set to author, the LocalDomainServers (defined as Server Group) has manager access.
Connect to a domino server using admin client and login with the server ID
-
go to the Files Tab
-
open names.nsf
-
access only as author (what is correct)
-
now go to the configuration tab - server - all server and open a server doc
-
you have manager access to names.nsf !!
-
go back to files
-
open names.nsf again
-
now you have access as manager to names.nsf
Subject: server id
If someone has access to the server id then yes, they can do what they want afaik. That’s a separate issue and not a bug
Subject: server.id
I don’t think so, because the ACL settings work fine, as long as you don’t use the config tab in the domino administrator.
Subject: If User type is set to Server group, you shouldn’t be able to access the DB using the server.id using a client, but …
If there’s another entry for the very server as unspecified, it would take precedence over the Group entry and then it is an admin error.
Subject: No
No, there is no unspecified entry in the ACL (Except Default and Anonymous, but they don’t have manager access)
Subject: Bug?
This isn’t really a security bug …
First of all, you aren’t supposed to be using a server ID to access a server directly with a client. Secondly, If you are accessing with a server ID and the server is in the LocalDomainServers group (which has manager access) and you find that you actually have manager access, isn’t that working as designed, even though you shouldn’t be doing this with a server ID?
Subject: Bug !
I know that all, but the main problem (bug ?) is, that you shouldn’t have manager access when the ACL is set correctly (=ServerGroup). The bug only occurs when you use the configuration tab in the domino administrator client. Nowhere else.