[Pkg-openldap-devel] [openldap] 05/09: warn about unsafe acl (#761406)

Ryan Tandy rtandy-guest at moszumanska.debian.org
Tue Apr 14 00:19:33 UTC 2015 

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch squeeze
in repository openldap.

commit 6027b27683b1b899eaf57339e15dd7a25b111b87
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Sun Feb 1 00:11:32 2015 +0000

    warn about unsafe acl (#761406)
    
    Cherry-picked from 1078641.
    
    Conflicts:
    	debian/changelog
---
 debian/changelog           |  5 +++++
 debian/slapd.README.Debian | 44 ++++++++++++++++++++++++++++++++++++++++++++
 debian/slapd.config        | 14 ++++++++++++++
 debian/slapd.templates     | 16 ++++++++++++++++
 4 files changed, 79 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index aeb5955..434eff0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,11 @@ openldap (2.4.23-7.3+deb6u1) UNRELEASED; urgency=high
 
   * debian/slapd.init.ldif: Disallow modifying one's own entry by default,
     except specific attributes. (CVE-2014-9713) (Closes: #761406)
+  * debian/slapd.{config,templates}: On upgrade, if an access rule begins with 
+    "to * by self write", show a debconf note warning that it should be 
+    changed.
+  * debian/slapd.README.debian: Add information about how to remove "to * by 
+    self write" from existing ACLs.
 
  -- Ryan Tandy <ryan at nardis.ca>  Mon, 13 Apr 2015 08:53:26 -0700
 
diff --git a/debian/slapd.README.Debian b/debian/slapd.README.Debian
index 5b0ecb4..a8a8a86 100644
--- a/debian/slapd.README.Debian
+++ b/debian/slapd.README.Debian
@@ -200,3 +200,47 @@ Modifications Compared to Upstream
   openldap source package.
 
  -- Russ Allbery <rra at debian.org>, Thu, 14 Feb 2008 18:47:07 -0800
+
+Unsafe access control rule installed by default in previous versions
+
+  Versions of slapd before 2.4.31-1+nmu2+deb7u1 configured the default
+  database with an access control rule of the form:
+
+  to *
+    by self write
+    by dn="cn=admin,dc=example,dc=com" write
+    by * read
+
+  Depending on how the database and client applications are configured,
+  users might be able to impersonate others by editing attributes such
+  as their Unix user and group numbers, or other application-specific
+  attributes.
+
+  New installations no longer include "by self write", but existing
+  configurations will not be automatically modified.
+
+  To list your current access control rules, use the command:
+
+    ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess
+
+  To fix the problem, create an LDIF file to replace the rules as
+  needed. For example:
+
+    dn: olcDatabase={1}hdb,cn=config
+    delete: olcAccess
+    olcAccess: {2}
+    -
+    add: olcAccess
+    olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
+
+  Adjust the database DN, the administrative DN, and the rule numbers
+  according to your configuration, following the output from ldapsearch.
+
+  Next, apply the configuration changes from the file:
+
+    ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif
+
+  For more information about access control rules, refer to the
+  slapd.access(5) man page.
+
+ -- Ryan Tandy <ryan at nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700
diff --git a/debian/slapd.config b/debian/slapd.config
index 5ccf560..3f8648f 100644
--- a/debian/slapd.config
+++ b/debian/slapd.config
@@ -146,6 +146,19 @@ configure_dumping() {							# {{{
 # }}}
 # }}}
 
+warn_about_selfwrite_acl() {						# {{{
+# Warn about databases having an acl beginning with "to * by self
+# write", installed by default in previous versions of slapd.init.ldif
+# but having possible security implications.
+	if [ -d "$SLAPD_CONF" ]; then
+		if grep -q '^olcAccess: {[0-9]*}to \* by self write' \
+			"$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then
+			db_input high slapd/unsafe_selfwrite_acl || true
+		fi
+	fi
+}
+# }}}
+
 # Create an initial directory on fresh install
 if is_initial_configuration "$@"; then
 	if ! want_manual_configuration; then
@@ -160,6 +173,7 @@ fi
 if [ "$1" = configure ] && [ -n "$2" ]; then
 	configure_dumping
 	configure_allow_v2_binds
+	warn_about_selfwrite_acl
 fi
    
 db_go || true
diff --git a/debian/slapd.templates b/debian/slapd.templates
index 551e881..e362e52 100644
--- a/debian/slapd.templates
+++ b/debian/slapd.templates
@@ -141,3 +141,19 @@ _Description: Database backend to use:
  In either case, you should review the resulting database configuration
  for your needs. See /usr/share/doc/slapd/README.DB_CONFIG.gz for more
  details.
+
+Template: slapd/unsafe_selfwrite_acl
+Type: note
+#flag:comment:3
+# Translators: keep "by self write" and "to *" unchanged. These are part
+# of the slapd configuration and are not translatable.
+_Description: Potentially unsafe slapd access control configuration
+ One or more of the configured databases has an access control rule that
+ allows users to modify most of their own attributes. This may be
+ unsafe, depending on how the database is used.
+ .
+ In the case of slapd access rules that begin with "to *", it is
+ recommended to remove any instances of "by self write", so that users
+ are only able to modify specifically allowed attributes.
+ .
+ See /usr/share/doc/slapd/README.Debian.gz for more details.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git

More information about the Pkg-openldap-devel mailing list