Dear debian-l10n-english,
Bug #761406 reported a rule included in Debian's default slapd
configuration that granted users more permissions than one might assume,
with possible security consequences. I removed that rule for new
installations, but I don't want to try automatically changing existing
configurations. Instead, I want to show a brief debconf note with a
summary of the problem and a pointer to README.Debian, where there would
be a longer explanation and an example of how to resolve it. I'm writing
to ask for help composing both of those texts.
Summary of the bug:
* Versions 2.4.23-3 through 2.4.39-1.1 are affected. Only new
installations are affected, not those upgraded from earlier versions.
Configurations generated by dpkg-reconfigure are also affected.
* In OpenLDAP, after a user binds to the server under a particular name,
the access rule "to * by self write" says that they may edit any
attributes of the database entry with that name that were not mentioned
in an earlier access rule.
* User entries commonly include Unix user and group numbers. Of course,
allowing someone to change their own uid or gid number is a severe
security violation. (Whether or not privileges can be escalated to root
by setting uid to 0 depends on the client implementation, but it's
certainly possible.)
* The problem extends to other applications as well. Depending on how
the data are used, a user could impersonate others by editing their own
Kerberos principal name, Samba SID, or various other
application-specific attributes.
My current draft for the debconf note (to be shown on upgrade, if an
access rule beginning with "to * by self write" exists) reads:
Description: Please review access control rules
One or more of your databases contains an access rule that allows users
to edit most of their own attributes. This may be unsafe, depending on
how the database is used.
.
Please review your access control rules. Refer to
/usr/share/doc/slapd/README.Debian.gz for more details.
My draft for README.Debian reads:
Dangerous default access control rule
Previous versions of slapd configured the default database with an
access control rule of the form:
to *
by self write
by dn="cn=admin,dc=example,dc=com" write
by * read
Depending on the how the database and client applications are
configured, users might be able to impersonate others by editing
attributes such as their Unix user and group numbers, their Kerberos
principal name, their Samba security identifier, or other
application-specific attributes.
New slapd installations no longer include "by self write", but
existing configurations will not be automatically modified.
To list your current access control rules, use the command:
ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)'
olcAccess
Next, create a text file containing the desired modifications, for
example:
dn: olcDatabase={1}hdb,cn=config
delete: olcAccess
olcAccess: {2}
-
add: olcAccess
olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
Adjust the database DN, the administrative DN, and the rule numbers
according to your configuration.
Finally, apply the configuration changes from the file:
ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif
For more information about access control rules, consult the
slapd.access(5) man page.
<EOF>
BTW, the next upload of openldap will include these changes:
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.templates?id=master&id2=2.4.39-1
http://anonscm.debian.org/cgit/pkg-openldap/openldap.git/diff/debian/slapd.README.Debian?id=master&id2=2.4.39-1
in addition to those from this mail. I assume the upload will trigger a
regular review, but early feedback is always welcome.
Thanks in advance for your help!
Ryan
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
