[Pkg-openldap-devel] Bug#761406: Please review text for security warning

Sat Oct 4 23:26:50 UTC 2014

Ryan Tandy wrote:
[...] 
> My current draft for the debconf note (to be shown on upgrade, if an
> access rule beginning with "to * by self write" exists) reads:
> 
> Description: Please review access control rules

You also have a "please review" later on.  Maybe this could say
something like

  Description: OpenLDAP access control rule issue

>  One or more of your databases contains an access rule that allows users
>  to edit most of their own attributes. This may be unsafe, depending on
>  how the database is used.
>  .
>  Please review your access control rules. Refer to
>  /usr/share/doc/slapd/README.Debian.gz for more details.

Do you really mean to talk about databases *containing* access rules?
Maybe it should say something like:

   One or more of the databases configured in /etc/openldap/slapd.conf
   has an access rule that allows users to edit most of their own
   attributes. This may be unsafe, depending on how the database is used.

> My draft for README.Debian reads:
> 
> Dangerous default access control rule
> 
>   Previous versions of slapd configured the default database with an
>   access control rule of the form:

If this is being incorporated into an existing README.Debian rather
than a NEWS.Debian it needs some sort of datestamp or version number
or other indicator of what "previous" is relative to:

    Versions of slapd before X.Y-Z configured the default database with
    an access control rule of the form:

> 
>   to *
>     by self write
>     by dn="cn=admin,dc=example,dc=com" write
>     by * read
> 
>   Depending on the how the database and client applications are
                 XXX
Surplus article.

>   configured, users might be able to impersonate others by editing
>   attributes such as their Unix user and group numbers, their Kerberos
>   principal name, their Samba security identifier, or other
>   application-specific attributes.
> 
>   New slapd installations no longer include "by self write", but
>   existing configurations will not be automatically modified.
> 
>   To list your current access control rules, use the command:
> 
>     ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess
> 
>   Next, create a text file containing the desired modifications, for
>   example:

Maybe call it "an ldif file" here?

>   dn: olcDatabase={1}hdb,cn=config
>   delete: olcAccess
>   olcAccess: {2}
>   -
>   add: olcAccess
>   olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
> 
>   Adjust the database DN, the administrative DN, and the rule numbers
>   according to your configuration.
> 
>   Finally, apply the configuration changes from the file:
> 
>     ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif
> 
>   For more information about access control rules, consult the
>   slapd.access(5) man page.
> 
> <EOF>

That's an alarmingly fragile-looking procedure... is it really
impossible to fix this just by loading a corrected slapd.conf?  Well,
at any rate I can see why you might not want to cram that into a
debconf dialogue!
-- 
JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package