[Pkg-openldap-devel] Bug#761406: debconf notice or NEWS.Debian entry?
Lesley Longhurst
Lesley.Longhurst at opus.co.nz
Thu Sep 18 05:20:25 UTC 2014
How about a brief debconf notice with a pointer to "further info" which would be an expanded version in NEWS.Debian?
Those same users are also way less likely to understand the issue, so a "words of one syllable approach" would seem sensible to me.
-----Original Message-----
From: Ryan Tandy [mailto:ryan at nardis.ca]
Sent: Thursday, 18 September 2014 4:43 p.m.
To: 761406 at bugs.debian.org
Subject: Bug#761406: debconf notice or NEWS.Debian entry?
Hi pkg-openldap-devel readers,
On 13/09/14 12:05 PM, Ryan Tandy wrote:
> On 13/09/14 08:41 AM, Dietrich Clauss wrote:
>> When the LDAP is used to authenticate users (e.g. in conjunction with
>> libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self
>> write" allows the user to change her uidNumber and impersonate
>> another user.
>>
>> IMO the default config should allow self-write access to userPassword
>> and shadowLastChange only.
>
> Thanks for the report. I've removed the offending 'by self write' in
> git. I'm not sure why that was added in the first place. The default
> slapd.conf didn't have it and I didn't find any comments about it.
>
> I don't think I'm comfortable doing an automated ACL change to
> existing installs. A NEWS.Debian entry suggesting the change (and
> mentioning how to do it) might be appropriate, though.
What do you think: an entry in NEWS.Debian, or a debconf notice (conditional on detecting a possibly-vulnerable acl)? It occurs to me that the users most likely to be affected by this (default settings, haven't reviewed acls) are also the least likely to read apt-listchanges...
More information about the Pkg-openldap-devel
mailing list