[Pkg-openldap-devel] slapd: dangerous access rule in default config
Ryan Tandy
ryan at nardis.ca
Wed Jan 28 02:35:47 UTC 2015
On Tue, Jan 27, 2015 at 05:35:08PM +0100, Yves-Alexis Perez wrote:
>For the stable upload, there's no rush (since the thing is already
>public right now and we just want exposure so people are somehow forced
>to fix their setup).
OK. So there are two functional packaging commits related to this (plus
subsequent translation updates):
1d124f2 fixes the default acl used for new initial configs.
1868c7d adds the (conditional) debconf note and some text in
README.Debian about how to fix it.
IMO both should be safe and suitable for stable.
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/commit/?id=1d124f25f57c5f0dcbe935e1ea796e767e2603bd
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/commit/?id=1868c7d3e2efc0500585d20dd7b771ace9d4aca9
On Tue, Jan 27, 2015 at 06:14:15PM +0100, Luca Bruno wrote:
>It looks like the saner config has never been ported to stable, so I think
>that the bare minimum for the DSA is that.
Right, it would be nice to not continue generating new dangerous configs
after the advisory goes out. :)
On Wed, Jan 28, 2015 at 12:17:18PM +1100, Brian May wrote:
>How does this warning work? Does it automatically test for vulnerable
>configurations somehow, or does it warn for all upgrades?
It greps specifically for an acl beginning with "to * by self write",
the former default, on any database. Anything else will not trigger it.
>I think backporting to wheezy and squeeze-lts be a good idea, unless
>backporting is complicated for any reason. If it is just a simple debconf
>note, it sounds like it should be simple.
It should be safe. I'll prepare and test the diff as soon as I have time
(probably not this evening, sorry).
>I have also looked up the situation for CentOS/Fedora. It looks like their
>openldap-servers package doesn't provide any ACLs, so are ok. I can't find
>any any official documentation on how to set up the ACLs, so it is very
>possible sysadmin's could get mislead, e.g. by the official openldap
>documentation[1] or third party websites[2], and still have vulnerable
>systems.
>
>[1] <http://www.openldap.org/doc/admin24/access-control.html#Basic ACLs>
>[2] <http://www.zytrax.com/books/ldap/ch6/#ex-authenticated>
I'm happy to file an upstream report about the admin guide and example
config and will do that soon. However the pattern has been there for a
long time and I expect has been copied many places by now besides just
Zytrax.
Ubuntu has the same problem and is unfixed. I'll follow up.
thanks,
Ryan
More information about the Pkg-openldap-devel
mailing list