[ Dominik George, 2021-09-08 ]
> Package: debian-edu-config
> Version: 2.11.56
> Severity: critical
> Tags: security
> Justification: root security hole
> X-Debbugs-Cc: Debian Security Team
>
> The LTSP netboot image produced by debian-edu-ltsp-install includes full
> copies
> of files that should never leave the Debian Edu main server, if run on a
> so-called
> "combined server" (a system using the Main Server and Terminal Server
> profiles,
> as done in small installations).
Yes, confirmed.
> Among these files are full copies of, among others:
>
> - /var/lib/ldap, containing the full, unencrypted LDAP database with all
>private information on all users, password hashes, and Kerberos keys
> - /etc/krb5-kdc, containing information on decrypting Kerberos data in the
>LDAP database
> - /etc/gosa, containing the (encrypted) LDAP manager credentials, plus the
>key to decrypt it
These should be added to the exclude list, and some more. Other fixes
are then needed, too.
> Any user with access to the local terminal server network can acquire
> the netboot image, unauthenticated, and extract the listed information
> from it.
SSH, tftp: I fail to get the SqushFS image file in both cases. But then
I'm no expert.
> The issue is caused by the new LTSP system using the LTSP PnP system
> now in all cases, thus packing the entire mai nserver filesystem in
> squashfs image. The debian-edu-ltsp-install script produces a list of
> files to exclude from the image, which is not sufficient, most
> probably because it was tailored to the use case where the image is
> produced from a dedicated Terminal Server instead of a combined
> server.
Yes.
> IMHO, the use case of the combined server cannot be fixed. The new
> LTSP system de facto disallows any use of a combiend server – even if
> we make a very carefully curated list of excluded files, any
> administrator would have to take care to add their own excludes for
> just about any file they place on the main server that was not palced
> there by the Debian Edu software. In fact, the whole new LTSP system
> seems unfit to be used on any server that is not limited to producing
> LTSP images, and supporting netbooting them.
While it's best to use separated LTSP servers (like recommended in the
manual), people are used to get a turnkey system like the combined
server. So maybe we should strive to keep that option (and add a hint to
the exclude list in the manual).
> For now, the issue should be mitigated by carefully adding all
> relevant paths that are known to exist only on the main server to the
> exclude list, but I do not think that is a viable fix in the long
> term.
I've set up a test environment and will take a look.
Wolfgang
signature.asc
Description: PGP signature
