Dear debian-l10n-english, Bug #761406 reported a rule included in Debian's default slapd configuration that granted users more permissions than one might assume, with possible security consequences. I removed that rule for new installations, but I don't want to try automatically changing existing configurations. Instead, I want to show a brief debconf note with a summary of the problem and a pointer to README.Debian, where there would be a longer explanation and an example of how to resolve it. I'm writing to ask for help composing both of those texts.
Summary of the bug: * Versions 2.4.23-3 through 2.4.39-1.1 are affected. Only new installations are affected, not those upgraded from earlier versions. Configurations generated by dpkg-reconfigure are also affected. * In OpenLDAP, after a user binds to the server under a particular name, the access rule "to * by self write" says that they may edit any attributes of the database entry with that name that were not mentioned in an earlier access rule. * User entries commonly include Unix user and group numbers. Of course, allowing someone to change their own uid or gid number is a severe security violation. (Whether or not privileges can be escalated to root by setting uid to 0 depends on the client implementation, but it's certainly possible.) * The problem extends to other applications as well. Depending on how the data are used, a user could impersonate others by editing their own Kerberos principal name, Samba SID, or various other application-specific attributes. My current draft for the debconf note (to be shown on upgrade, if an access rule beginning with "to * by self write" exists) reads: Description: Please review access control rules One or more of your databases contains an access rule that allows users to edit most of their own attributes. This may be unsafe, depending on how the database is used. . Please review your access control rules. Refer to /usr/share/doc/slapd/README.Debian.gz for more details. My draft for README.Debian reads: Dangerous default access control rule Previous versions of slapd configured the default database with an access control rule of the form: to * by self write by dn="cn=admin,dc=example,dc=com" write by * read Depending on the how the database and client applications are configured, users might be able to impersonate others by editing attributes such as their Unix user and group numbers, their Kerberos principal name, their Samba security identifier, or other application-specific attributes. New slapd installations no longer include "by self write", but existing configurations will not be automatically modified. To list your current access control rules, use the command: ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess Next, create a text file containing the desired modifications, for example: dn: olcDatabase={1}hdb,cn=config delete: olcAccess olcAccess: {2} - add: olcAccess olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read Adjust the database DN, the administrative DN, and the rule numbers according to your configuration. Finally, apply the configuration changes from the file: ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif For more information about access control rules, consult the slapd.access(5) man page. <EOF> BTW, the next upload of openldap will include these changes: http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.templates?id=master&id2=2.4.39-1 http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.README.Debian?id=master&id2=2.4.39-1 in addition to those from this mail. I assume the upload will trigger a regular review, but early feedback is always welcome. Thanks in advance for your help! Ryan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org