Bug#520476: marked as done (libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing bindpw)

Sun, 22 Mar 2009 15:51:18 -0700 

Your message dated Sun, 22 Mar 2009 22:17:03 +0000
with message-id <[email protected]>
and subject line Bug#520476: fixed in nss-ldapd 0.6.8
has caused the Debian Bug report #520476,
regarding libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing 
bindpw
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
520476: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520476
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: libnss-ldapd
Version: 0.6.7
Severity: important


Hi, I believe there is a security issue with the default permissions on file 
/etc/nss-ldapd.conf
It is created as follows:
owner: root
group: root
mode: 644

My LDAP server requires authentication to access the posix user/group 
attributes,
but the clear text credentials I have provided to debconf are world-readable
when saved in this file. I suggest the following permissions as a new default:
owner: root
group: nslcd
mode: 640

I have not had time to check this in testing or unstable, but should this be
deployed to lenny as a security update? (both change the default and maybe 
prompt
the administrator to change the existing permissions?)

I am migrating from libnss-ldap, which has a debconf prompt to change the mode 
to 0600
if there's a password in it.

First bug, please don't flame too hard if I'm doing it wrong :)

- Leigh.


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (20081028, 'unstable'), (990, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-ldapd depends on:
ii  adduser               3.110              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.24             Debian configuration management sy
ii  libc6                 2.7-18             GNU C Library: Shared libraries
ii  libkrb53              1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.11-1           OpenLDAP libraries
ii  libsasl2-2            2.1.22.dfsg1-23    Cyrus SASL - authentication abstra

Versions of packages libnss-ldapd recommends:
pn  libpam-ldap                   <none>     (no description available)
pn  nscd                          <none>     (no description available)

libnss-ldapd suggests no packages.

-- debconf information:
* libnss-ldapd/ldap-base: dc=bms,dc=qld,dc=edu,dc=au
* libnss-ldapd/nsswitch: group, passwd, shadow
* libnss-ldapd/ldap-binddn: cn=authtest,ou=Users,dc=bms,dc=qld,dc=edu,dc=au
* libnss-ldapd/ldap-uris: ldaps://eddie.bms.qld.edu.au

--- End Message ---
--- Begin Message --- 
Source: nss-ldapd
Source-Version: 0.6.8

We believe that the bug you reported is fixed in the latest version of
nss-ldapd, which is due to be installed in the Debian FTP archive:

libnss-ldapd_0.6.8_i386.deb
  to pool/main/n/nss-ldapd/libnss-ldapd_0.6.8_i386.deb
nss-ldapd_0.6.8.dsc
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.8.dsc
nss-ldapd_0.6.8.tar.gz
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.8.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <[email protected]> (supplier of updated nss-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 Mar 2009 22:00:00 +0100
Source: nss-ldapd
Binary: libnss-ldapd
Architecture: source i386
Version: 0.6.8
Distribution: unstable
Urgency: high
Maintainer: Arthur de Jong <[email protected]>
Changed-By: Arthur de Jong <[email protected]>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
Closes: 520476
Changes: 
 nss-ldapd (0.6.8) unstable; urgency=high
 .
   * SECURITY FIX: the nss-ldapd.conf file that is installed was created
                   world-readable which could cause problems if the bindpw
                   option is used
                   this has been fixed and warnings have been added to the
                   manual page and sample nss-ldapd.conf (closes: #520476)
   * clean the environment and set LDAPNOINIT to disable parsing of LDAP
     configuration files (.ldaprc, /etc/ldap/ldap.conf, etc)
   * remove sslpath option because it wasn't used
   * correctly set SSL/TLS options when using StartTLS
   * rename the tls_checkpeer option to tls_reqcert, deprecating the old name
     and supporting all values that OpenLDAP supports
   * allow backslashes in user and group names execpt as first or last
     character
   * check user and group names against LOGIN_NAME_MAX if it is defined
   * fix for getpeercred() on Solaris by David Bartley
   * debian/control: change section to admin to follow change in override file
   * add lintian override for missing shlibs and symbols control files (we are
     a shared library that should not be directly linked to)
   * upgrade to standards-version 3.8.1 (no changes needed)
   * upgrade to debhelper compatibility level 7
Checksums-Sha1: 
 6af35928ff9317529bf4c9a1b40b3797ded8729f 983 nss-ldapd_0.6.8.dsc
 2020b2525bc2d85f2eafb117b11d03f110b020a0 380329 nss-ldapd_0.6.8.tar.gz
 fc86ba2d0c176d205c19eb84bdafaae466ec4e49 110760 libnss-ldapd_0.6.8_i386.deb
Checksums-Sha256: 
 89b236aaede3a68136afacd2c31794f5f1e71a674d4d4830a2dd2a81c63d897e 983 
nss-ldapd_0.6.8.dsc
 9e1e44a2dcce2851deb8a402a8aabc5163f2bf26f4476109b3dbab7a230a54ac 380329 
nss-ldapd_0.6.8.tar.gz
 3f5705bccefaf813e76a081a48a3def57f50a40c76fc1056f374ffa8e3c3c7ad 110760 
libnss-ldapd_0.6.8_i386.deb
Files: 
 55de553c7b936984690dca53973b6eb1 983 admin extra nss-ldapd_0.6.8.dsc
 001c9ce2a35e80ea5bd93cb6d1109432 380329 admin extra nss-ldapd_0.6.8.tar.gz
 22d3559f935e1a0794eadf870fe3305a 110760 admin extra libnss-ldapd_0.6.8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknGs14ACgkQVYan35+NCKe6mwCbBcMQlmTt9AvN8g+3gv/P9Fx1
AIkAoLHmCnOkbuPPppuTrGpLO3YHvEYl
=r1L7
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to