[Pkg-openldap-devel] slapd: dangerous access rule in default config
Brian May
brian at microcomaustralia.com.au
Tue Jan 27 02:03:37 UTC 2015
On 20 January 2015 at 17:06, Yves-Alexis Perez <corsac at debian.org> wrote:
> thanks for the notice. At first sight, since it's really vulnerable
> when used with local authentication, I would have advised to use a stable
> upload.
>
> But considering the silent configuration update (which might surprise
> people, especially in stable) and the fact we don't really know how
> administrators might use user attributes to handle authorizations, it
> might makes sense to release a DSA, in order to have more exposure.
>
> OpenLDAP team, what do you think? I can also request a CVE on oss-sec,
> so we have a broader idea of what security people think about this.
>
I don't see any response from the OpenLDAP team yet :-(.
It is perhaps worth noting that the official OpenLDAP documentation has the
same issue.
<http://www.openldap.org/doc/admin24/access-control.html#Basic ACLs>
Has "Generally one should start with some basic ACLs such as:" and the
example includes "access to * by self write"
People I have talked to locally have immediately asked me "where is the
CVE?" so I think a CVE would be a good idea. I have found a number of
wheezy based systems I have deployed in recent months have had exactly this
problem, some after #761406
<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406> was filled, so
better exposure would be a good thing.
The argument could be made that OpenLDAP is only a database, it is up to
sysadmin's to configure appropriately, however using LDAP for user
authentication seems to be most common.
(plus I can't think of any application where "access to * by self write"
would actually be a good idea.)
I believe the version in Jessie has been changed to warn administrators of
the problem, however this wasn't back-ported as a security update for
stable; although nice, I don't think it is absolutely necessarily for a
back-port to occur.
--
Brian May <brian at microcomaustralia.com.au>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150127/43c0972e/attachment.html>
More information about the Pkg-openldap-devel
mailing list