Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package openldap2 for openSUSE:Factory
checked in at 2022-10-28 19:28:58
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/openldap2 (Old)
and /work/SRC/openSUSE:Factory/.openldap2.new.2275 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "openldap2"
Fri Oct 28 19:28:58 2022 rev:177 rq:1031423 version:2.6.3
Changes:
--------
--- /work/SRC/openSUSE:Factory/openldap2/openldap2.changes 2022-07-29
16:46:57.446495658 +0200
+++ /work/SRC/openSUSE:Factory/.openldap2.new.2275/openldap2.changes
2022-10-28 19:29:03.074487176 +0200
@@ -1,0 +2,6 @@
+Mon Sep 26 05:16:18 UTC 2022 - William Brown <william.br...@suse.com>
+
+- bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user
+ to privilege escalate to root due to unbound chown commands.
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ slapd.service ++++++
--- /var/tmp/diff_new_pack.xhBl8f/_old 2022-10-28 19:29:04.486494257 +0200
+++ /var/tmp/diff_new_pack.xhBl8f/_new 2022-10-28 19:29:04.490494277 +0200
@@ -6,6 +6,23 @@
Type=forking
ExecStart=/usr/lib/openldap/start
+# Hardening to prevent security escalation.
+## Future hardening for FS protection.
+# ProtectSystem=full
+# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap
+
+RestrictSUIDSGID=true
+NoNewPrivileges=true
+PrivateTmp=true
+PrivateDevices=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+MemoryDenyWriteExecute=true
+
[Install]
WantedBy=multi-user.target
++++++ start ++++++
--- /var/tmp/diff_new_pack.xhBl8f/_old 2022-10-28 19:29:04.506494358 +0200
+++ /var/tmp/diff_new_pack.xhBl8f/_new 2022-10-28 19:29:04.506494358 +0200
@@ -80,11 +80,17 @@
function chown_database_dirs_bconfig() {
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i
olcdbdirectory | awk '{print $2}')
- for dir in $ldapdir; do
+ for dir in $(realpath ${ldapdir}); do
+ if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
- chown -R $OPENLDAP_USER $dir 2>/dev/null
+ chown -h -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
- chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
+ chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
+ else
+ echo "Skipping chown -h of external directory for security
reasons. You must manually run:"
+ echo "# chown -h -R $OPENLDAP_USER $dir"
+ echo "# chgrp -h -R $OPENLDAP_GROUP $dir"
+ fi
done
}
@@ -92,9 +98,9 @@
ldapdir=`grep ^directory $1 | awk '{print $2}'`
for dir in $ldapdir; do
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
- chown -R $OPENLDAP_USER $dir 2>/dev/null
+ chown -h -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
- chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
+ chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
done
includes=`grep ^include $1 | awk '{print $2}'`
if [ $depth -le 50 ]; then
@@ -112,30 +118,30 @@
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f
/etc/openldap/slapd.conf"
-# chown backend directories if OPENLDAP_CHOWN_DIRS ist set
+# chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" =
"ldap" ]; then
- chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
- chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
+ chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
+ chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
# assume back-config usage if slapd.conf is not present but slapd.d is
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
- chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
- chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
+ chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
+ chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
else
chown_database_dirs "/etc/openldap/slapd.conf"
- chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
+ chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
fi
if test -f /etc/sasl2/slapd.conf ; then
- chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
+ chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
if test -f $keytabfile ; then
- chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null
+ chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null
chmod g+r $keytabfile 2>/dev/null
fi
fi
@@ -159,7 +165,7 @@
if [ ! -d $SLAPD_PID_DIR ]; then
mkdir -p $SLAPD_PID_DIR
- chown ldap:ldap $SLAPD_PID_DIR
+ chown -h ldap:ldap $SLAPD_PID_DIR
fi
echo -n "Starting ldap-server"
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
