[Pkg-openldap-devel] r750 - in openldap/trunk-2.1:
debian libraries/libldap
Steve Langasek
vorlon at debian.org
Wed Nov 15 03:28:05 CET 2006
On Tue, Nov 14, 2006 at 05:07:39PM -0800, Quanah Gibson-Mount wrote:
> >>[19:07] Howard Chu: that's the wrong fix
> >>[19:07] Howard Chu: libnss-ldap should set NOINIT for its own usage.
> >>[19:09] Quanah: so this patch doesn't really fix anything?
> >>[19:09] Howard Chu: probably not.
> >Regardless of the merits of OpenLDAP reading dotfiles on library
> >initialization without a flag (er), libnss-ldap should probably get that
> >fix, and libpam-ldap too while we're at it.
> Okay, it is LDAPNOINIT (rather than NOINIT).
> But Howard further clarifies that as long as nss/pam_ldap fully specify
> their ldap.conf file to use, the users' .ldaprc file will never be read.
> So the only time this is an issue is if someone hasn't really configured
> nss/pam properly, and I assume that debian does things right.
I don't accept this reasoning. The penalty to an admin for configuring
their software "wrong" -- where "wrong" means "assuming that options left as
defaults will keep the default values" -- should not be a root security
hole.
I agree that libnss-ldap and libpam-ldap should be using this LDAPNOINIT
flag, now that we know it exists. Cc:ing the original bug report, so that
Stephen can look into that. But this should still be *in addition to* the
suid check, not *instead of* it, because there may be suid applications
using libldap by other means because they assume it's secure.
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon at debian.org http://www.debian.org/
More information about the Pkg-openldap-devel
mailing list