[Pkg-openldap-devel] [openldap] 01/03: warn about unsafe acl (#761406)
Ryan Tandy
rtandy-guest at moszumanska.debian.org
Tue Oct 21 16:45:09 UTC 2014
This is an automated email from the git hooks/post-receive script.
rtandy-guest pushed a commit to branch master
in repository openldap.
commit 1868c7d3e2efc0500585d20dd7b771ace9d4aca9
Author: Ryan Tandy <ryan at nardis.ca>
Date: Mon Oct 20 11:01:25 2014 -0700
warn about unsafe acl (#761406)
---
debian/changelog | 2 ++
debian/slapd.README.Debian | 44 ++++++++++++++++++++++++++++++++++++++++++++
debian/slapd.config | 14 ++++++++++++++
debian/slapd.templates | 16 ++++++++++++++++
4 files changed, 76 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 9a14dbc..d22bb64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ openldap (2.4.40-2) UNRELEASED; urgency=medium
* Recommend MDB for new installations, per upstream's recommendation.
* Don't re-create the default DB_CONFIG if there wasn't one in the backup,
for example if the active backend doesn't use it. Thanks Ferenc Wagner.
+ * On upgrade, if an access rule begins with "to * by self write", show a
+ debconf note warning that it should be changed. (Closes: #761406)
-- Ryan Tandy <ryan at nardis.ca> Sun, 19 Oct 2014 17:34:00 -0700
diff --git a/debian/slapd.README.Debian b/debian/slapd.README.Debian
index 85e2b11..a5e307f 100644
--- a/debian/slapd.README.Debian
+++ b/debian/slapd.README.Debian
@@ -235,3 +235,47 @@ Modifications Compared to Upstream
openldap source package.
-- Russ Allbery <rra at debian.org>, Thu, 14 Feb 2008 18:47:07 -0800
+
+Unsafe access control rule installed by default in previous versions
+
+ Versions of slapd before 2.4.40-1 configured the default database with
+ an access control rule of the form:
+
+ to *
+ by self write
+ by dn="cn=admin,dc=example,dc=com" write
+ by * read
+
+ Depending on how the database and client applications are configured,
+ users might be able to impersonate others by editing attributes such
+ as their Unix user and group numbers, or other application-specific
+ attributes.
+
+ New installations no longer include "by self write", but existing
+ configurations will not be automatically modified.
+
+ To list your current access control rules, use the command:
+
+ ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess
+
+ To fix the problem, create an LDIF file to replace the rules as
+ needed. For example:
+
+ dn: olcDatabase={1}hdb,cn=config
+ delete: olcAccess
+ olcAccess: {2}
+ -
+ add: olcAccess
+ olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
+
+ Adjust the database DN, the administrative DN, and the rule numbers
+ according to your configuration, following the output from ldapsearch.
+
+ Next, apply the configuration changes from the file:
+
+ ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif
+
+ For more information about access control rules, refer to the
+ slapd.access(5) man page.
+
+ -- Ryan Tandy <ryan at nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700
diff --git a/debian/slapd.config b/debian/slapd.config
index 5ccf560..f011936 100644
--- a/debian/slapd.config
+++ b/debian/slapd.config
@@ -146,6 +146,19 @@ configure_dumping() { # {{{
# }}}
# }}}
+warn_about_selfwrite_acl() { # {{{
+# Warn about databases having an acl beginning with "to * by self
+# write", installed by default in previous versions of slapd.init.ldif
+# but having possible security implications.
+ if [ -d "$SLAPD_CONF" ]; then
+ if grep -q '^olcAccess: {[0-9]*}to \* by self write' \
+ "$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then
+ db_input high slapd/unsafe_selfwrite_acl || true
+ fi
+ fi
+}
+# }}}
+
# Create an initial directory on fresh install
if is_initial_configuration "$@"; then
if ! want_manual_configuration; then
@@ -160,6 +173,7 @@ fi
if [ "$1" = configure ] && [ -n "$2" ]; then
configure_dumping
configure_allow_v2_binds
+ warn_about_selfwrite_acl
fi
db_go || true
diff --git a/debian/slapd.templates b/debian/slapd.templates
index c038c5e..ab4ee31 100644
--- a/debian/slapd.templates
+++ b/debian/slapd.templates
@@ -142,3 +142,19 @@ _Description: Database backend to use:
.
In any case, you should review the resulting database configuration for
your needs. See /usr/share/doc/slapd/README.Debian.gz for more details.
+
+Template: slapd/unsafe_selfwrite_acl
+Type: note
+#flag:comment:3
+# Translators: keep "by self write" and "to *" unchanged. These are part
+# of the slapd configuration and are not translatable.
+_Description: Potentially unsafe slapd access control configuration
+ One or more of the configured databases has an access control rule that
+ allows users to modify most of their own attributes. This may be
+ unsafe, depending on how the database is used.
+ .
+ In the case of slapd access rules that begin with "to *", it is
+ recommended to remove any instances of "by self write", so that users
+ are only able to modify specifically allowed attributes.
+ .
+ See /usr/share/doc/slapd/README.Debian.gz for more details.
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git
More information about the Pkg-openldap-devel
mailing list