[Pkg-openldap-devel] slapd: dangerous access rule in default config
Luca Bruno
lucab at debian.org
Tue Jan 27 15:49:45 UTC 2015
On Tuesday 27 January 2015 15:21:15 Yves-Alexis Perez wrote:
> On mar., 2015-01-27 at 13:03 +1100, Brian May wrote:
> > On 20 January 2015 at 17:06, Yves-Alexis Perez <corsac at debian.org> wrote:
> > > thanks for the notice. At first sight, since it's really vulnerable
> > > when used with local authentication, I would have advised to use a
> > > stable
> > > upload.
> > >
> > > But considering the silent configuration update (which might surprise
> > > people, especially in stable) and the fact we don't really know how
> > > administrators might use user attributes to handle authorizations, it
> > > might makes sense to release a DSA, in order to have more exposure.
> > >
> > > OpenLDAP team, what do you think? I can also request a CVE on oss-sec,
> > > so we have a broader idea of what security people think about this.
> >
> > I don't see any response from the OpenLDAP team yet :-(.
>
> Not sure who the mail is actually reaching, so I'm manually adding Luca
> and Ryan to the list. Luca, Ryan, did you receive previous mail about
> that issue? Do you need a full summary?
I don't know where this thread is coming from, but it may just be me missing
the initial mail.
In any case, I think you are speaking about
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406
> > It is perhaps worth noting that the official OpenLDAP documentation has
> > the
> > same issue.
> >
> > <http://www.openldap.org/doc/admin24/access-control.html#Basic ACLs>
> >
> > Has "Generally one should start with some basic ACLs such as:" and the
> > example includes "access to * by self write"
>
> It might be worth pointing upstream about the dangers of that directive.
This also explain where that rule is coming from.
> > People I have talked to locally have immediately asked me "where is the
> > CVE?" so I think a CVE would be a good idea. I have found a number of
> > wheezy based systems I have deployed in recent months have had exactly
> > this
> > problem, some after #761406
> > <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406> was filled, so
> > better exposure would be a good thing.
>
> Yeah, I guess it's a good idea, I'll ask oss-sec for a CVE. That also
> mean this issue will get a lot of exposure, and it might be worth having
> a fix ready before that.
>
> > The argument could be made that OpenLDAP is only a database, it is up to
> > sysadmin's to configure appropriately, however using LDAP for user
> > authentication seems to be most common.
> > (plus I can't think of any application where "access to * by self write"
> > would actually be a good idea.)
> >
> > I believe the version in Jessie has been changed to warn administrators of
> > the problem, however this wasn't back-ported as a security update for
> > stable; although nice, I don't think it is absolutely necessarily for a
> > back-port to occur.
>
> I guess this does warrant a DSA.
What should we do here?
I'm not much into the details (I just recently started sponsoring openldap),
but Ryan already expressed some concerns about automatically patching live
configurations.
A debconf warning is already in place for jessie, and a full backport is
currently sitting in bpo-NEW. Should we cherry-pick the same warning for
wheezy and squeeze-lts?
Regards, Luca
--
.''`. ** Debian GNU/Linux ** | Luca Bruno (kaeso)
: :' : The Universal O.S. | lucab (AT) debian.org
`. `'` | GPG Key ID: 0x4F3BBEBF
`- http://www.debian.org | Debian GNU/Linux Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.alioth.debian.org/pipermail/pkg-openldap-devel/attachments/20150127/dd665523/attachment.sig>
More information about the Pkg-openldap-devel
mailing list