[Pkg-openldap-devel] Bug#761406: Please review text for security warning

Sat Oct 4 21:59:05 UTC 2014

Dear debian-l10n-english,

Bug #761406 reported a rule included in Debian's default slapd
configuration that granted users more permissions than one might assume,
with possible security consequences. I removed that rule for new
installations, but I don't want to try automatically changing existing
configurations. Instead, I want to show a brief debconf note with a
summary of the problem and a pointer to README.Debian, where there would
be a longer explanation and an example of how to resolve it. I'm writing
to ask for help composing both of those texts.

Summary of the bug:

* Versions 2.4.23-3 through 2.4.39-1.1 are affected. Only new
installations are affected, not those upgraded from earlier versions.
Configurations generated by dpkg-reconfigure are also affected.

* In OpenLDAP, after a user binds to the server under a particular name,
the access rule "to * by self write" says that they may edit any
attributes of the database entry with that name that were not mentioned
in an earlier access rule.

* User entries commonly include Unix user and group numbers. Of course,
allowing someone to change their own uid or gid number is a severe
security violation. (Whether or not privileges can be escalated to root
by setting uid to 0 depends on the client implementation, but it's
certainly possible.)

* The problem extends to other applications as well. Depending on how
the data are used, a user could impersonate others by editing their own
Kerberos principal name, Samba SID, or various other
application-specific attributes.

My current draft for the debconf note (to be shown on upgrade, if an
access rule beginning with "to * by self write" exists) reads:

Description: Please review access control rules
 One or more of your databases contains an access rule that allows users
 to edit most of their own attributes. This may be unsafe, depending on
 how the database is used.
 .
 Please review your access control rules. Refer to
 /usr/share/doc/slapd/README.Debian.gz for more details.

My draft for README.Debian reads:

Dangerous default access control rule

  Previous versions of slapd configured the default database with an
  access control rule of the form:

  to *
    by self write
    by dn="cn=admin,dc=example,dc=com" write
    by * read

  Depending on the how the database and client applications are
  configured, users might be able to impersonate others by editing
  attributes such as their Unix user and group numbers, their Kerberos
  principal name, their Samba security identifier, or other
  application-specific attributes.

  New slapd installations no longer include "by self write", but
  existing configurations will not be automatically modified.

  To list your current access control rules, use the command:

    ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)'
olcAccess

  Next, create a text file containing the desired modifications, for
  example:

  dn: olcDatabase={1}hdb,cn=config
  delete: olcAccess
  olcAccess: {2}
  -
  add: olcAccess
  olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read

  Adjust the database DN, the administrative DN, and the rule numbers
  according to your configuration.

  Finally, apply the configuration changes from the file:

    ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif

  For more information about access control rules, consult the
  slapd.access(5) man page.

<EOF>

BTW, the next upload of openldap will include these changes:

http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.templates?id=master&id2=2.4.39-1
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.README.Debian?id=master&id2=2.4.39-1

in addition to those from this mail. I assume the upload will trigger a
regular review, but early feedback is always welcome.

Thanks in advance for your help!

Ryan