Your message dated Thu, 02 Apr 2009 13:54:03 +0000
with message-id <[email protected]>
and subject line Bug#520476: fixed in nss-ldapd 0.6.7.1
has caused the Debian Bug report #520476,
regarding libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing
bindpw
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
520476: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=520476
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libnss-ldapd
Version: 0.6.7
Severity: important
Hi, I believe there is a security issue with the default permissions on file
/etc/nss-ldapd.conf
It is created as follows:
owner: root
group: root
mode: 644
My LDAP server requires authentication to access the posix user/group
attributes,
but the clear text credentials I have provided to debconf are world-readable
when saved in this file. I suggest the following permissions as a new default:
owner: root
group: nslcd
mode: 640
I have not had time to check this in testing or unstable, but should this be
deployed to lenny as a security update? (both change the default and maybe
prompt
the administrator to change the existing permissions?)
I am migrating from libnss-ldap, which has a debconf prompt to change the mode
to 0600
if there's a password in it.
First bug, please don't flame too hard if I'm doing it wrong :)
- Leigh.
-- System Information:
Debian Release: 5.0
APT prefers unstable
APT policy: (20081028, 'unstable'), (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.28-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libnss-ldapd depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries
ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra
Versions of packages libnss-ldapd recommends:
pn libpam-ldap <none> (no description available)
pn nscd <none> (no description available)
libnss-ldapd suggests no packages.
-- debconf information:
* libnss-ldapd/ldap-base: dc=bms,dc=qld,dc=edu,dc=au
* libnss-ldapd/nsswitch: group, passwd, shadow
* libnss-ldapd/ldap-binddn: cn=authtest,ou=Users,dc=bms,dc=qld,dc=edu,dc=au
* libnss-ldapd/ldap-uris: ldaps://eddie.bms.qld.edu.au
--- End Message ---
--- Begin Message ---
Source: nss-ldapd
Source-Version: 0.6.7.1
We believe that the bug you reported is fixed in the latest version of
nss-ldapd, which is due to be installed in the Debian FTP archive:
libnss-ldapd_0.6.7.1_i386.deb
to pool/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_i386.deb
nss-ldapd_0.6.7.1.dsc
to pool/main/n/nss-ldapd/nss-ldapd_0.6.7.1.dsc
nss-ldapd_0.6.7.1.tar.gz
to pool/main/n/nss-ldapd/nss-ldapd_0.6.7.1.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arthur de Jong <[email protected]> (supplier of updated nss-ldapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 21 Mar 2009 10:43:17 +0100
Source: nss-ldapd
Binary: libnss-ldapd
Architecture: source i386
Version: 0.6.7.1
Distribution: stable-security
Urgency: high
Maintainer: Arthur de Jong <[email protected]>
Changed-By: Arthur de Jong <[email protected]>
Description:
libnss-ldapd - NSS module for using LDAP as a naming service
Closes: 520476
Changes:
nss-ldapd (0.6.7.1) stable-security; urgency=high
.
* security upload
* fix the permissions of /etc/nss-ldapd.conf to not be world readable
(file can be used to store LDAP password) (closes: #520476)
Checksums-Sha1:
3f447686b85f17fc4029a1cb14710166266f5bf5 996 nss-ldapd_0.6.7.1.dsc
3c8fb8bca88e13ba1206c0058d86bcf96c5d5a2c 373338 nss-ldapd_0.6.7.1.tar.gz
cd21e38a949914b161fc8bf60df9303ac2358e1a 109212 libnss-ldapd_0.6.7.1_i386.deb
Checksums-Sha256:
5f9ca7e56a2c8ca260965c575298669d45796f6dc57dd8d4f5044d56b69edb91 996
nss-ldapd_0.6.7.1.dsc
f00458342e4809485dd86b5c72f6f76398015a3e6dee6760496631d904641e52 373338
nss-ldapd_0.6.7.1.tar.gz
8acdfde05a7679fda7109799ddd901379668e852d464d24701497391d92bfd07 109212
libnss-ldapd_0.6.7.1_i386.deb
Files:
31232235dc6d5e0abb448e56f5f6f8ad 996 net extra nss-ldapd_0.6.7.1.dsc
4cf1160a9626c51ee584f5b66ae1d33a 373338 net extra nss-ldapd_0.6.7.1.tar.gz
d8245739c6796420c11ed945f9300cfe 109212 net extra libnss-ldapd_0.6.7.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknP1qkACgkQVYan35+NCKfOkQCg6sUhIrcXai7Ew8uwsVDqwSRl
sc8An2yaZ1nl4M/GqSBBGgvumhE3Qor8
=oHCH
-----END PGP SIGNATURE-----
--- End Message ---
