[Pkg-openldap-devel] slapd: dangerous access rule in default config

Ryan Tandy ryan at nardis.ca
Tue Jan 27 16:26:47 UTC 2015


On Tue, Jan 27, 2015 at 03:21:15PM +0100, Yves-Alexis Perez wrote:
>On mar., 2015-01-27 at 13:03 +1100, Brian May wrote:
>> On 20 January 2015 at 17:06, Yves-Alexis Perez <corsac at debian.org> wrote:
>>
>> > thanks for the notice. At first sight, since it's really vulnerable
>> > when used with local authentication, I would have advised to use a stable
>> > upload.
>> >
>> > But considering the silent configuration update (which might surprise
>> > people, especially in stable) and the fact we don't really know how
>> > administrators might use user attributes to handle authorizations, it
>> > might makes sense to release a DSA, in order to have more exposure.
>> >
>> > OpenLDAP team, what do you think? I can also request a CVE on oss-sec,
>> > so we have a broader idea of what security people think about this.
>> >
>>
>> I don't see any response from the OpenLDAP team yet :-(.
>
>Not sure who the mail is actually reaching, so I'm manually adding Luca
>and Ryan to the list. Luca, Ryan, did you receive previous mail about
>that issue? Do you need a full summary?

I'm afraid I didn't receive the previous messages. We've been having 
problems with mail to non-subscribers not coming through to the list. 
I have been trying to contact an admin about fixing it but it hasn't 
been sorted out yet. Sorry about that.

>>
>>
>> It is perhaps worth noting that the official OpenLDAP documentation has the
>> same issue.
>>
>> <http://www.openldap.org/doc/admin24/access-control.html#Basic ACLs>
>>
>> Has "Generally one should start with some basic ACLs such as:" and the
>> example includes "access to * by self write"
>
>It might be worth pointing upstream about the dangers of that directive.
>>
>>
>> People I have talked to locally have immediately asked me "where is the
>> CVE?" so I think a CVE would be a good idea. I have found a number of
>> wheezy based systems I have deployed in recent months have had exactly this
>> problem, some after #761406
>> <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=761406> was filled, so
>> better exposure would be a good thing.
>
>Yeah, I guess it's a good idea, I'll ask oss-sec for a CVE. That also
>mean this issue will get a lot of exposure, and it might be worth having
>a fix ready before that.
>>
>> The argument could be made that OpenLDAP is only a database, it is up to
>> sysadmin's to configure appropriately, however using LDAP for user
>> authentication seems to be most common.
>> (plus I can't think of any application where "access to * by self write"
>> would actually be a good idea.)
>>
>> I believe the version in Jessie has been changed to warn administrators of
>> the problem, however this wasn't back-ported as a security update for
>> stable; although nice, I don't think it is absolutely necessarily for a
>> back-port to occur.
>
>I guess this does warrant a DSA.

Right, in jessie there is a debconf warning on upgrade if the vulnerable 
configuration is detected. I spent some time thinking about how an 
automatic fix (with the admin's approval) could be achieved, but 
eventually decided that I didn't trust myself to do it safely, given the 
complexity of possible configurations and requirement for a 
slapcat/slapadd round-trip of the configuration database. (In 2.5 
slapmodify(8) has been introduced, which will help a lot with that last 
point.)

http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/commit/?id=1868c7d3e2efc0500585d20dd7b771ace9d4aca9

If I understand correctly, you plan to allocate a CVE, perform a 
security upload to add the warning, and issue a DSA about it. Is that 
right? An automatic configuration change was mentioned in the context 
above, is that also a possibility?

How can I help? By providing a debdiff for the backported change? By 
contacting upstream about fixing their documentation? Anything else? (By 
getting the mailing list fixed, certainly...)

thanks,
Ryan



More information about the Pkg-openldap-devel mailing list