[Pkg-openldap-devel] slapd: dangerous access rule in default config

Yves-Alexis Perez corsac at debian.org
Tue Jan 27 14:21:15 UTC 2015 

On mar., 2015-01-27 at 13:03 +1100, Brian May wrote:
> On 20 January 2015 at 17:06, Yves-Alexis Perez <corsac at debian.org> wrote:
> 
> > thanks for the notice. At first sight, since it's really vulnerable
> > when used with local authentication, I would have advised to use a stable
> > upload.
> >
> > But considering the silent configuration update (which might surprise
> > people, especially in stable) and the fact we don't really know how
> > administrators might use user attributes to handle authorizations, it
> > might makes sense to release a DSA, in order to have more exposure.
> >
> > OpenLDAP team, what do you think? I can also request a CVE on oss-sec,
> > so we have a broader idea of what security people think about this.
> >
> 
> I don't see any response from the OpenLDAP team yet :-(.

Not sure who the mail is actually reaching, so I'm manually adding Luca
and Ryan to the list. Luca, Ryan, did you receive previous mail about
that issue? Do you need a full summary?
> 
> 
> It is perhaps worth noting that the official OpenLDAP documentation has the
> same issue.
> 
> <http://www.openldap.org/doc/admin24/access-control.html#Basic ACLs>
> 
> Has "Generally one should start with some basic ACLs such as:" and the
> example includes "access to * by self write"

It might be worth pointing upstream about the dangers of that directive.
> 
> 
> People I have talked to locally have immediately asked me "where is the
> CVE?" so I think a CVE would be a good idea. I have found a number of
> wheezy based systems I have deployed in recent months have had exactly this
> problem, some after #761406
> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406> was filled, so
> better exposure would be a good thing.

Yeah, I guess it's a good idea, I'll ask oss-sec for a CVE. That also
mean this issue will get a lot of exposure, and it might be worth having
a fix ready before that.
> 
> The argument could be made that OpenLDAP is only a database, it is up to
> sysadmin's to configure appropriately, however using LDAP for user
> authentication seems to be most common.
> (plus I can't think of any application where "access to * by self write"
> would actually be a good idea.)
> 
> I believe the version in Jessie has been changed to warn administrators of
> the problem, however this wasn't back-ported as a security update for
> stable; although nice, I don't think it is absolutely necessarily for a
> back-port to occur.

I guess this does warrant a DSA.

Regards,
-- 
Yves-Alexis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150127/53fd4add/attachment.sig>

More information about the Pkg-openldap-devel mailing list