Please keep replies on the list.
On Mon, 14 Jun 2010, Ariel wrote:
On Jun 14, 2010, at 1:33 PM, Aaron Richton wrote:
On Mon, 14 Jun 2010, Ariel wrote:
I don't like having the /etc/ldap.conf world readable [...]
Advice?
And you didn't chmod /etc/passwd and /etc/group too? What if people get
valuable information out of those? You can't do this and be POSIX
multi-user; getgr*/getpw* are unprivileged operations. Your users
should be able to get some output with getent(1), and your users should
be able to get the same output with "cat /etc/ldap.conf" and a bit of
thought, and any attempts to make that harder will be a waste of time
on your part. Change back the permissions, or change your OS.
Now, with all this said, if your users can get *more* information with
"cat /etc/ldap.conf" and thought than getent(1) provides, that may well
be a configuration error on your part, which would be appropriate to
discuss on this list...
I have not heard of getent before, but it seems it would only be able to
read ldap users if there was a copy of the ldap database locally? Or am
I wrong about this?
Don't think about this in terms of LDAP or any other network name service.
Imagine you've got a fresh-from-factory laptop. You start adding users,
they go into /etc/passwd. /etc/passwd is world-readable. Everybody on the
laptop can see the list of users as you update it.
Same for a server with LDAP. The actual name service is irrelevant, it's a
requirement of the API that has to be provided...
I am not worried about local users being seen, there are few per server
and they have low privileges. I was worried about someone being able to
read all our ldap users which can access every system on our network and
many of which have very high privileges. This is the reason why we
restrict reading from our ldap server to a validated read-only user in
the first place.
OK, again forget LDAP. You've got two servers now, each with their own
/etc/passwd. Say there are 6 users on one and 8 on the other. In the
simple, non-network case, cat /etc/passwd should show 6 or 8 (depending on
where you type it) and getent passwd should match with 6 or 8 users shown.
Even if they cannot read the password hash, getting a full list of users
seemed like something I would want to avoid. But if any attempts at
doing so in the way I was describing is meaningless then I can move on
to other things that need doing.
...well, to continue my example, if you configure things such that "getent
passwd" shows 14 users, that would probably be a mistake. You're right
that outputting a full list of users, across disparate authentication
configurations, is probably something to be avoided.
But that's what ACLs are for. See slapd.access(5). And you do this
server-side (possibly combined with a binddn on the client) by editing the
world-readable ldap.conf, not by chmod'ing the file...
