[Pkg-openldap-devel] [openldap] 01/03: warn about unsafe acl (#761406)

Ryan Tandy rtandy-guest at moszumanska.debian.org
Tue Oct 21 16:45:09 UTC 2014 

This is an automated email from the git hooks/post-receive script.

rtandy-guest pushed a commit to branch master
in repository openldap.

commit 1868c7d3e2efc0500585d20dd7b771ace9d4aca9
Author: Ryan Tandy <ryan at nardis.ca>
Date:   Mon Oct 20 11:01:25 2014 -0700

    warn about unsafe acl (#761406)
---
 debian/changelog           |  2 ++
 debian/slapd.README.Debian | 44 ++++++++++++++++++++++++++++++++++++++++++++
 debian/slapd.config        | 14 ++++++++++++++
 debian/slapd.templates     | 16 ++++++++++++++++
 4 files changed, 76 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index 9a14dbc..d22bb64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -8,6 +8,8 @@ openldap (2.4.40-2) UNRELEASED; urgency=medium
   * Recommend MDB for new installations, per upstream's recommendation.
   * Don't re-create the default DB_CONFIG if there wasn't one in the backup,
     for example if the active backend doesn't use it. Thanks Ferenc Wagner.
+  * On upgrade, if an access rule begins with "to * by self write", show a 
+    debconf note warning that it should be changed. (Closes: #761406)
 
  -- Ryan Tandy <ryan at nardis.ca>  Sun, 19 Oct 2014 17:34:00 -0700
 
diff --git a/debian/slapd.README.Debian b/debian/slapd.README.Debian
index 85e2b11..a5e307f 100644
--- a/debian/slapd.README.Debian
+++ b/debian/slapd.README.Debian
@@ -235,3 +235,47 @@ Modifications Compared to Upstream
   openldap source package.
 
  -- Russ Allbery <rra at debian.org>, Thu, 14 Feb 2008 18:47:07 -0800
+
+Unsafe access control rule installed by default in previous versions
+
+  Versions of slapd before 2.4.40-1 configured the default database with 
+  an access control rule of the form:
+
+  to *
+    by self write
+    by dn="cn=admin,dc=example,dc=com" write
+    by * read
+
+  Depending on how the database and client applications are configured, 
+  users might be able to impersonate others by editing attributes such 
+  as their Unix user and group numbers, or other application-specific 
+  attributes.
+
+  New installations no longer include "by self write", but existing 
+  configurations will not be automatically modified.
+
+  To list your current access control rules, use the command:
+
+    ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config' '(olcAccess=*)' olcAccess
+
+  To fix the problem, create an LDIF file to replace the rules as 
+  needed. For example:
+
+    dn: olcDatabase={1}hdb,cn=config
+    delete: olcAccess
+    olcAccess: {2}
+    -
+    add: olcAccess
+    olcAccess: {2}to * by dn="cn=admin,dc=example,dc=com" write by * read
+
+  Adjust the database DN, the administrative DN, and the rule numbers 
+  according to your configuration, following the output from ldapsearch.
+
+  Next, apply the configuration changes from the file:
+
+    ldapmodify -Y EXTERNAL -H ldapi:/// -f mods.ldif
+
+  For more information about access control rules, refer to the 
+  slapd.access(5) man page.
+
+ -- Ryan Tandy <ryan at nardis.ca>, Mon, 20 Oct 2014 11:45:20 -0700
diff --git a/debian/slapd.config b/debian/slapd.config
index 5ccf560..f011936 100644
--- a/debian/slapd.config
+++ b/debian/slapd.config
@@ -146,6 +146,19 @@ configure_dumping() {							# {{{
 # }}}
 # }}}
 
+warn_about_selfwrite_acl() {						# {{{
+# Warn about databases having an acl beginning with "to * by self 
+# write", installed by default in previous versions of slapd.init.ldif 
+# but having possible security implications.
+	if [ -d "$SLAPD_CONF" ]; then
+		if grep -q '^olcAccess: {[0-9]*}to \* by self write' \
+			"$SLAPD_CONF"/cn\=config/olcDatabase*.ldif 2>/dev/null; then
+			db_input high slapd/unsafe_selfwrite_acl || true
+		fi
+	fi
+}
+# }}}
+
 # Create an initial directory on fresh install
 if is_initial_configuration "$@"; then
 	if ! want_manual_configuration; then
@@ -160,6 +173,7 @@ fi
 if [ "$1" = configure ] && [ -n "$2" ]; then
 	configure_dumping
 	configure_allow_v2_binds
+	warn_about_selfwrite_acl
 fi
    
 db_go || true
diff --git a/debian/slapd.templates b/debian/slapd.templates
index c038c5e..ab4ee31 100644
--- a/debian/slapd.templates
+++ b/debian/slapd.templates
@@ -142,3 +142,19 @@ _Description: Database backend to use:
  .
  In any case, you should review the resulting database configuration for
  your needs. See /usr/share/doc/slapd/README.Debian.gz for more details.
+
+Template: slapd/unsafe_selfwrite_acl
+Type: note
+#flag:comment:3
+# Translators: keep "by self write" and "to *" unchanged. These are part 
+# of the slapd configuration and are not translatable.
+_Description: Potentially unsafe slapd access control configuration
+ One or more of the configured databases has an access control rule that 
+ allows users to modify most of their own attributes. This may be 
+ unsafe, depending on how the database is used.
+ .
+ In the case of slapd access rules that begin with "to *", it is
+ recommended to remove any instances of "by self write", so that users
+ are only able to modify specifically allowed attributes.
+ .
+ See /usr/share/doc/slapd/README.Debian.gz for more details.

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openldap/openldap.git

More information about the Pkg-openldap-devel mailing list