[Pkg-openldap-devel] Bug#761406: debconf notice or NEWS.Debian entry?
Ryan Tandy
ryan at nardis.ca
Thu Sep 18 04:43:02 UTC 2014
Hi pkg-openldap-devel readers,
On 13/09/14 12:05 PM, Ryan Tandy wrote:
> On 13/09/14 08:41 AM, Dietrich Clauss wrote:
>> When the LDAP is used to authenticate users (e.g. in conjunction with
>> libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self
>> write" allows
>> the user to change her uidNumber and impersonate another user.
>>
>> IMO the default config should allow self-write access to userPassword
>> and shadowLastChange only.
>
> Thanks for the report. I've removed the offending 'by self write' in
> git. I'm not sure why that was added in the first place. The default
> slapd.conf didn't have it and I didn't find any comments about it.
>
> I don't think I'm comfortable doing an automated ACL change to existing
> installs. A NEWS.Debian entry suggesting the change (and mentioning how
> to do it) might be appropriate, though.
What do you think: an entry in NEWS.Debian, or a debconf notice
(conditional on detecting a possibly-vulnerable acl)? It occurs to me
that the users most likely to be affected by this (default settings,
haven't reviewed acls) are also the least likely to read apt-listchanges...
More information about the Pkg-openldap-devel
mailing list