Hi pkg-openldap-devel readers,
On 13/09/14 12:05 PM, Ryan Tandy wrote:
On 13/09/14 08:41 AM, Dietrich Clauss wrote:
When the LDAP is used to authenticate users (e.g. in conjunction with
libnss-ldapd and libpam-ldapd), the rule "olcAccess: to * by self
write" allows
the user to change her uidNumber and impersonate another user.
IMO the default config should allow self-write access to userPassword
and shadowLastChange only.
Thanks for the report. I've removed the offending 'by self write' in
git. I'm not sure why that was added in the first place. The default
slapd.conf didn't have it and I didn't find any comments about it.
I don't think I'm comfortable doing an automated ACL change to existing
installs. A NEWS.Debian entry suggesting the change (and mentioning how
to do it) might be appropriate, though.
What do you think: an entry in NEWS.Debian, or a debconf notice
(conditional on detecting a possibly-vulnerable acl)? It occurs to me
that the users most likely to be affected by this (default settings,
haven't reviewed acls) are also the least likely to read apt-listchanges...
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
