[Pkg-openldap-devel] r750 - in openldap/trunk-2.1: debian libraries/libldap

Steve Langasek vorlon at alioth.debian.org
Tue Nov 14 01:54:38 CET 2006


Author: vorlon
Date: 2006-11-14 01:54:38 +0100 (Tue, 14 Nov 2006)
New Revision: 750

Modified:
   openldap/trunk-2.1/debian/changelog
   openldap/trunk-2.1/libraries/libldap/init.c
Log:
Don't check for user configuration files when the caller is setuid; addresses
#387467, which is a potential security hole allowing libnss-ldap settings to
be overridden.  Thanks to Stephen Frost for bringing this to my attention.



Modified: openldap/trunk-2.1/debian/changelog
===================================================================
--- openldap/trunk-2.1/debian/changelog	2006-11-12 10:08:20 UTC (rev 749)
+++ openldap/trunk-2.1/debian/changelog	2006-11-14 00:54:38 UTC (rev 750)
@@ -1,8 +1,12 @@
 openldap2 (2.1.30-14) UNRELEASED; urgency=low
 
   * Acknowledge l10n NMUs; thanks, Christian!
+  * Don't check for user configuration files when the caller is setuid;
+    addresses #387467, which is a potential security hole allowing
+    libnss-ldap settings to be overridden.  Thanks to Stephen Frost for
+    bringing this to my attention.
 
- -- Steve Langasek <vorlon at debian.org>  Thu,  9 Nov 2006 19:00:33 -0800
+ -- Steve Langasek <vorlon at debian.org>  Mon, 13 Nov 2006 16:43:04 -0800
 
 openldap2 (2.1.30-13.2) unstable; urgency=low
 

Modified: openldap/trunk-2.1/libraries/libldap/init.c
===================================================================
--- openldap/trunk-2.1/libraries/libldap/init.c	2006-11-12 10:08:20 UTC (rev 749)
+++ openldap/trunk-2.1/libraries/libldap/init.c	2006-11-14 00:54:38 UTC (rev 750)
@@ -252,6 +252,12 @@
 	char *home;
 	char *path = NULL;
 
+	if (getuid() != geteuid()) {
+		/* Caller is setuid -- don't read any per-user configs in
+		   these circumstances, as this may not be safe */
+		return;
+	}
+
 	if (file == NULL) {
 		/* no file name */
 		return;




More information about the Pkg-openldap-devel mailing list