Debian Bug report logs - #402010
gosa leaves the ldap admin password readable by any web application

version graph

Package: gosa; Maintainer for gosa is Debian Edu Packaging Team <debian-edu-pkg-team@lists.alioth.debian.org>; Source for gosa is src:gosa.

Reported by: Finn-Arne Johansen <faj@bzz.no>

Date: Thu, 7 Dec 2006 13:48:01 UTC

Severity: important

Tags: wontfix

Found in versions gosa/2.5.6-2, gosa/2.5.15-2

Fixed in version gosa/2.5.16-1

Done: Cajus Pollmeier <cajus@naasa.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Finn-Arne Johansen <faj@bzz.no>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Finn-Arne Johansen <faj@bzz.no>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gosa leaves the ldap admin password readable by any web application
Date: Thu, 07 Dec 2006 14:37:00 +0100
Package: gosa
Version: 2.5.6-2
Severity: critical
Tags: security
Justification: root security hole


The documentation in gosa tells the admin to install gosa.conf under
/etc/gosa/gosa.conf, and to make it readable by the group www-data.
In this configuration file, the ldap admin password is stored in
cleartext. Any process running under the web process can now read that
file, and if the same ldap users was used for authenticating , it would
be rather easy to create a user with root access.

this litle script placed under my ~/public_html/ revealed the password
on my server
  <?php system ('cat /etc/gosa/gosa.conf') ; ?>
 


-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.17-2-686
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)

Versions of packages gosa depends on:
ii  apache2-mpm-prefork     2.2.3-3.1        Traditional model for Apache HTTPD
ii  fping                   2.4b2-to-ipv6-14 sends ICMP ECHO_REQUEST packets to
ii  libcrypt-smbhash-perl   0.12-1           generate LM/NT hash of a password 
ii  php5                    5.2.0-7          server-side, HTML-embedded scripti
ii  php5-gd                 5.2.0-7          GD module for php5
ii  php5-imagick            0.9.11+1-4.1     ImageMagick module for php5
ii  php5-imap               5.2.0-7          IMAP module for php5
ii  php5-ldap               5.2.0-7          LDAP module for php5
ii  php5-mhash              5.2.0-7          MHASH module for php5
ii  php5-mysql              5.2.0-7          MySQL module for php5
ii  php5-recode             5.2.0-7          recode module for php5
ii  postfix [mail-transport 2.3.4-2          A high-performance mail transport 
ii  smarty                  2.6.14-1         Template engine for PHP
ii  smarty-gettext          1.0b1-2          provides gettext support for smart
ii  wwwconfig-common        0.0.48           Debian web auto configuration

gosa recommends no packages.

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Martin Schulze <joey@infodrom.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #10 received at 402010@bugs.debian.org (full text, mbox):

From: Martin Schulze <joey@infodrom.org>
To: Finn-Arne Johansen <faj@bzz.no>
Cc: Debian Bug Tracking System <402010@bugs.debian.org>
Subject: Re: Bug#402010: gosa leaves the ldap admin password readable by any web application
Date: Thu, 7 Dec 2006 15:05:33 +0100
Finn-Arne Johansen wrote:
> Package: gosa
> Version: 2.5.6-2
> Severity: critical
> Tags: security
> Justification: root security hole
> 
> 
> The documentation in gosa tells the admin to install gosa.conf under
> /etc/gosa/gosa.conf, and to make it readable by the group www-data.
> In this configuration file, the ldap admin password is stored in
> cleartext. Any process running under the web process can now read that
> file, and if the same ldap users was used for authenticating , it would
> be rather easy to create a user with root access.

Honestly, what solution would you propose for a process running as
www-data to access a password which can not be read by other processes
running as www-data?

> this litle script placed under my ~/public_html/ revealed the password
> on my server
>   <?php system ('cat /etc/gosa/gosa.conf') ; ?>

As usual, it's sad, but if you allow random users to use self-written
PHP scripts, they can access everything that the www-data user can
access.  It may be different with suhosin.

As a general rule, users don't belong on services machines, if you
want to avoid such problems.

Regards,

	Joey

-- 
Long noun chains don't automatically imply security.  -- Bruce Schneier

Please always Cc to me when replying to me on the lists.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Cajus Pollmeier <cajus@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #15 received at 402010@bugs.debian.org (full text, mbox):

From: Cajus Pollmeier <cajus@debian.org>
To: Finn-Arne Johansen <faj@bzz.no>, 402010@bugs.debian.org
Subject: Re: Bug#402010: gosa leaves the ldap admin password readable by any web application
Date: Thu, 7 Dec 2006 15:05:39 +0100
Am Donnerstag 07 Dezember 2006 14:37 schrieb Finn-Arne Johansen:
> Package: gosa
> Version: 2.5.6-2
> Severity: critical
> Tags: security
> Justification: root security hole
>
>
> The documentation in gosa tells the admin to install gosa.conf under
> /etc/gosa/gosa.conf, and to make it readable by the group www-data.
> In this configuration file, the ldap admin password is stored in
> cleartext. Any process running under the web process can now read that
> file, and if the same ldap users was used for authenticating , it would
> be rather easy to create a user with root access.
>
> this litle script placed under my ~/public_html/ revealed the password
> on my server
>   <?php system ('cat /etc/gosa/gosa.conf') ; ?>

So, do you have another solution, actually? Any web application that stores 
information about passwords has the same problem, you can simply get 
passwords to mysql databases, etc.

Don't use public stuff on these administrative servers. I'm not responsible 
for configuring your PHP installation, i.e. use PHPs secure mode to avoid 
these cases.

Cheers,
Cajus



Reply sent to Cajus Pollmeier <cajus@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Finn-Arne Johansen <faj@bzz.no>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 402010-done@bugs.debian.org (full text, mbox):

From: Cajus Pollmeier <cajus@debian.org>
To: request@bugs.debian.org
Cc: 402010-done@bugs.debian.org
Subject: Bug is not fixable
Date: Thu, 7 Dec 2006 16:57:35 +0100
tags 402010 + wontfix
thanks

This problem is inherited by the way apache/php handles scripts/permissions.
Either disable mod_user [1], or use PHP's safe mode [2] in order to lock down
your system.

From the gosa point of view, this problem can not be fixed - even not by
changing the way gosa authenticates to the LDAP.

---
[1] http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s5.8
[2] http://de.php.net/manual/en/features.safe-mode.php#features.safe-mode.functions



Tags added: wontfix Request was from Cajus Pollmeier <cajus@naasa.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to faj@bzz.no:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #27 received at 402010@bugs.debian.org (full text, mbox):

From: Finn-Arne Johansen <faj@bzz.no>
To: Cajus Pollmeier <cajus@debian.org>
Cc: 402010@bugs.debian.org
Subject: Re: Bug#402010: gosa leaves the ldap admin password readable by any web application
Date: Thu, 07 Dec 2006 20:21:03 +0100
Cajus Pollmeier skrev:
> Am Donnerstag 07 Dezember 2006 14:37 schrieb Finn-Arne Johansen:
>> Package: gosa
>> Version: 2.5.6-2
>> Severity: critical
>> Tags: security
>> Justification: root security hole
>>
>>
>> The documentation in gosa tells the admin to install gosa.conf under
>> /etc/gosa/gosa.conf, and to make it readable by the group www-data.
>> In this configuration file, the ldap admin password is stored in
>> cleartext. Any process running under the web process can now read that
>> file, and if the same ldap users was used for authenticating , it would
>> be rather easy to create a user with root access.
>>
>> this litle script placed under my ~/public_html/ revealed the password
>> on my server
>>   <?php system ('cat /etc/gosa/gosa.conf') ; ?>
> 
> So, do you have another solution, actually? Any web application that stores 
> information about passwords has the same problem, you can simply get 
> passwords to mysql databases, etc.
> 
> Don't use public stuff on these administrative servers. I'm not responsible 
> for configuring your PHP installation, i.e. use PHPs secure mode to avoid 
> these cases.

Please add these notes to the explenation or at least to the
README.Debian file

Someone thought about adding gosa as the user admin tool for Debian-Edu,
until I pointed this out.


-- 
Finn-Arne Johansen
faj@bzz.no http://bzz.no/
EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642




Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Petter Reinholdtsen <pere@hungry.com>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #32 received at 402010@bugs.debian.org (full text, mbox):

From: Petter Reinholdtsen <pere@hungry.com>
To: 402010@bugs.debian.org
Subject: Re: gosa leaves the ldap admin password readable by any web application
Date: Thu, 07 Dec 2006 20:40:51 +0100
One way to solve it is to require the people accessing the LDAP
database using the web to provide the LDAP admin password during the
interaction, and not store it in clear text on the server.

One way to avoid having to pass the LDAP admin password every time is
to store it in a cookie.  It would then only be needed when logging
in.  To avoid having it in clear text in the cookie, the server can
generate a random session key, and use this key to encrypt the
password in the cookie, and use it to decrypt the cookie when the user
want to access the LDAP database.

Both the random session key and the cookie is required to have the
LDAP admin password, and nothing dangerous is stored in the cookie nor
on the server.

Friendly,
-- 
Petter Reinholdtsen



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 17 Jun 2007 13:56:25 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Thu, 03 Apr 2008 14:27:06 GMT) Full text and rfc822 format available.

Bug marked as found in version 2.5.15-2 and reopened. Request was from Holger Levsen <holger@layer-acht.org> to control@bugs.debian.org. (Thu, 03 Apr 2008 14:27:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #43 received at 402010@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 402010@bugs.debian.org
Subject: this issue is still open and undocumented
Date: Thu, 3 Apr 2008 17:56:22 +0100
[Message part 1 (text/plain, inline)]
unarchive 402010
found 402010 2.5.15-2
thanks

Hi Cajus,

please put this information at least into the README.Debian. Currently this 
information is completly unobvious, as you have closed this bug. And not left 
it open as "wontfix"... 

Or maybe this isnt an issue anymore as Debian uses php's safe mode per 
default? Then please document that in the README.Debian (that safe mode 
shouldnt be turned off...)

And there is still Petters proposal, how to implement this more securily.
(Then please retitle this bug and leave it open, so that someone else can send 
you a patch.)

Thanks.


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Cajus Pollmeier <cajus@naasa.net>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #48 received at 402010@bugs.debian.org (full text, mbox):

From: Cajus Pollmeier <cajus@naasa.net>
To: 402010@bugs.debian.org
Subject: Re: gosa leaves the ldap admin password readable by any web application
Date: Thu, 3 Apr 2008 23:48:24 +0200
Petter proposel does not work with GOsa, because it doesn't fit the  
concept. The users do not know the ldap admin password - and they  
shouldn't. Like they shouldn't know the database passwords for a web  
application of your choice. I don't get the problem - sorry.

I can place a note in the README, but I don't consider this a bug.

Cajus




Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Roland Mas <lolando@debian.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #53 received at 402010@bugs.debian.org (full text, mbox):

From: Roland Mas <lolando@debian.org>
To: debian-devel@lists.debian.org
Cc: 402010@bugs.debian.org
Subject: Re: How to deal with #402010?
Date: Fri, 04 Apr 2008 10:21:09 +0200
Cajus Pollmeier, 2008-04-04 09:18:37 +0200 :

> Hi,
>
> my position to this bug is written down in the bugtracker and I
> don't consider this a bug. Any opinions about what to do with it? It
> would apply to virtually any kind of web application accessing some
> kind of database/ldap passwords somewhere in the filesystem.

Depending on the web server, there may be a way around that problem.
The following works with Apache, at least, and I guess it can be
adapted to other servers as well.

  The thing is to store the passwords or sensitive info in files that
are only readable by root, and have Apache read these files and export
the information selectively to some webapps and not others, by
wrapping the appropriate directives in VirtualHost (or similar)
blocks.  Then it's a simple matter (ahem) of passing the info to the
webapp, and there are two ways to do that: with SetEnv (not ideal) or
with RequestHeader (probably better).

Roland.
-- 
Roland Mas

Et c'est tellement plus mignon de se faire traiter de con en chanson...
  -- in En chantant (Michel Sardou)




Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #58 received at 402010@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: debian-devel@lists.debian.org, 402010@bugs.debian.org
Subject: Re: How to deal with #402010?
Date: Fri, 4 Apr 2008 11:50:42 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Friday 04 April 2008 09:18, Cajus Pollmeier wrote:
> to virtually any kind of web application accessing some kind of
> database/ldap passwords somewhere in the filesystem.

I dont consider a web application which is used to configure the LDAP database 
and FAI configuration (to install and configure all machines in the network) 
just like any other web application.

In this bug are several suggestions how to implement a way better mechanism to 
deal with the password then the current one.

Also I unarchived this bug, because I think the least you can and should do is 
to document this in the README.Debian. (This=dont allow public html dirs for 
users and leave safe mode on.) 


regards,
	Holger

P.S.: regarding those four major ldap servers.. I think it would be a great 
start if it would be more secure with one of them :-)
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Cajus Pollmeier <cajus@naasa.net>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #63 received at 402010@bugs.debian.org (full text, mbox):

From: Cajus Pollmeier <cajus@naasa.net>
To: Holger Levsen <holger@layer-acht.org>, 402010@bugs.debian.org
Cc: debian-devel@lists.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
Date: Fri, 4 Apr 2008 12:22:05 +0200
Am Freitag, 4. April 2008 11:50:42 schrieb Holger Levsen:
> Hi,
>
> On Friday 04 April 2008 09:18, Cajus Pollmeier wrote:
> > to virtually any kind of web application accessing some kind of
> > database/ldap passwords somewhere in the filesystem.
>
> I dont consider a web application which is used to configure the LDAP
> database and FAI configuration (to install and configure all machines in
> the network) just like any other web application.
>
> In this bug are several suggestions how to implement a way better mechanism
> to deal with the password then the current one.

If you read the comments, I'll see that it is not possible to use these 
suggestions. Besides maybe the last one, but there's no propper 
infrastructure in debian to use it directly.

> Also I unarchived this bug, because I think the least you can and should do
> is to document this in the README.Debian. (This=dont allow public html dirs
> for users and leave safe mode on.)

As said - I'm not responsible for the webserver setup of other people. Sure, I 
can put it inside the README and close this bug - waiting until the next one 
comes around and urges me to do something about it again. Ah wait, I can just 
orphan the gosa packages.

> P.S.: regarding those four major ldap servers.. I think it would be a great
> start if it would be more secure with one of them :-)

You're welcome. Send patches.

Cheers,
Cajus




Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Jon Dowland <jon+debian-devel@alcopop.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #68 received at 402010@bugs.debian.org (full text, mbox):

From: Jon Dowland <jon+debian-devel@alcopop.org>
To: Cajus Pollmeier <cajus@naasa.net>
Cc: Holger Levsen <holger@layer-acht.org>, 402010@bugs.debian.org, debian-devel@lists.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
Date: Fri, 4 Apr 2008 11:45:31 +0100
On Fri, Apr 04, 2008 at 12:22:05PM +0200, Cajus Pollmeier wrote:
> As said - I'm not responsible for the webserver setup of other people.
> Sure, I can put it inside the README and close this bug - waiting
> until the next one comes around and urges me to do something about it
> again. Ah wait, I can just orphan the gosa packages.

Better to leave it open and tag it wontfix (meaning "can't fix") if the
bug is not actually fixed.


-- 
Jon Dowland




Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Holger Levsen <holger@layer-acht.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #73 received at 402010@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 402010@bugs.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
Date: Fri, 4 Apr 2008 13:20:04 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Friday 04 April 2008 12:22, you wrote:
> > In this bug are several suggestions how to implement a way better
> > mechanism to deal with the password then the current one.
> If you read the comments, I'll see that it is not possible to use these
> suggestions. Besides maybe the last one, but there's no propper
> infrastructure in debian to use it directly.

There was no reply to Petters suggestions... (and thus I dont see why it's not 
possible.)

> As said - I'm not responsible for the webserver setup of other people.
> Sure, I can put it inside the README and close this bug

Please put something in the README.

> Ah wait,
> I can just orphan the gosa packages.

*sigh*

I dont understand why you take this personally. Or take it like this.


regards,
	Holger
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #78 received at 402010@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: 402010@bugs.debian.org
Subject: this is exactly like every other web app credential store
Date: Sat, 5 Apr 2008 01:57:34 +0100
[Message part 1 (text/plain, inline)]
There are a few that do it better, but in the main, this is exactly the
way that every other web application in Debian stores it's credentials.
Is there some reason this bug is RC and the others either don't have bugs
filed or are not RC?
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Stephen Gran <sgran@debian.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #83 received at 402010@bugs.debian.org (full text, mbox):

From: Stephen Gran <sgran@debian.org>
To: Debian BTS control <control@bugs.debian.org>
Cc: 402010@bugs.debian.org
Subject: downgrading
Date: Sat, 5 Apr 2008 02:07:47 +0100
[Message part 1 (text/plain, inline)]
severity 402010 important
tags 402010 -security
thanks

01:58 < sgran> anyone have a problem with downgrading #402010?
01:59 < sgran> I agree it's not perfect, but it's exactly the same as
dozens or hundreds of other web apps that need to store credentials of 
one form or another
02:01 < zobel> sgran: not me.
-- 
 -----------------------------------------------------------------
|   ,''`.                                            Stephen Gran |
|  : :' :                                        sgran@debian.org |
|  `. `'                        Debian user, admin, and developer |
|    `-                                     http://www.debian.org |
 -----------------------------------------------------------------
[signature.asc (application/pgp-signature, inline)]

Severity set to `important' from `critical' Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (Sat, 05 Apr 2008 01:18:03 GMT) Full text and rfc822 format available.

Tags removed: security Request was from Stephen Gran <sgran@debian.org> to control@bugs.debian.org. (Sat, 05 Apr 2008 01:18:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@seanius.net>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #92 received at 402010@bugs.debian.org (full text, mbox):

From: sean finney <seanius@seanius.net>
To: debian-devel@lists.debian.org
Cc: Cajus Pollmeier <cajus@naasa.net>, Holger Levsen <holger@layer-acht.org>, 402010@bugs.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
Date: Sat, 5 Apr 2008 11:07:37 +0200
[Message part 1 (text/plain, inline)]
hi,

a few more ideas for you to think about:

- create a user specific to the package, and

1: use a setuid wrapper binary for doing all ldap communications

or

2: use some kind of user-restricted fastcgi type setup instead of standard 
apache mod_php/python/whatever

or

3: run a seperate instance of $webserver listening on a different port 
(localhost:8080 or similar), and running as the specific user.  you can then 
drop in a proxy config to make that available from the standard $webserver.




	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Cajus Pollmeier <cajus@naasa.net>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #97 received at 402010@bugs.debian.org (full text, mbox):

From: Cajus Pollmeier <cajus@naasa.net>
To: sean finney <seanius@seanius.net>
Cc: debian-devel@lists.debian.org, 402010@bugs.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
Date: Sat, 5 Apr 2008 11:26:14 +0200
The problem is that these aspects are not packagable as some kind of  
"fire and forget" installation. I'd prefer the way Roland proposed,  
using some kind of

# cat /etc/apache2/conf.d/gosa.conf
Alias /gosa /usr/share/gosa/html
<Location /gosa>
        include /etc/gosa/gosa.secrets
</Location>

# cat /etc/gosa/gosa.secrets
RequestHeader set FooPassword very-secret-credentials

The latter file can only be read by root, so the security "problem" is  
as critical as beeing able to read cleartext kerberos or sasldb  
passwords as root.

This implementation only requires minimum changes and has no big  
overhead on the server side... Uh, and a "a2enmod headers" from  
postinst.

Cheers,
Cajus

Am 05.04.2008 um 11:07 schrieb sean finney:
> hi,
>
> a few more ideas for you to think about:
>
> - create a user specific to the package, and
>
> 1: use a setuid wrapper binary for doing all ldap communications
>
> or
>
> 2: use some kind of user-restricted fastcgi type setup instead of  
> standard
> apache mod_php/python/whatever
>
> or
>
> 3: run a seperate instance of $webserver listening on a different port
> (localhost:8080 or similar), and running as the specific user.  you  
> can then
> drop in a proxy config to make that available from the standard  
> $webserver.
>
>
>
>
> 	sean





Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to sean finney <seanius@debian.org>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #102 received at 402010@bugs.debian.org (full text, mbox):

From: sean finney <seanius@debian.org>
To: debian-devel@lists.debian.org
Cc: Cajus Pollmeier <cajus@naasa.net>, 402010@bugs.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
Date: Sat, 5 Apr 2008 11:59:31 +0200
[Message part 1 (text/plain, inline)]
hi,

On Saturday 05 April 2008 11:26:14 am Cajus Pollmeier wrote:
> The problem is that these aspects are not packagable as some kind of
> "fire and forget" installation. I'd prefer the way Roland proposed,
> using some kind of

option 3 could work out of the box, though it just requires more initial setup 
work to get right in the packaging.  i'm not saying it's the Right Way, but 
it would provide the necessary compartmentalizing.

> RequestHeader set FooPassword very-secret-credentials

i suspect php users will still be able to find that out, in the same way that 
they can read ssl private keys from the webserver's memory (you *did* know 
they can do that, right? :)

	sean
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Cajus Pollmeier <cajus@debian.org>:
Bug#402010; Package gosa. Full text and rfc822 format available.

Acknowledgement sent to Cajus Pollmeier <cajus@naasa.net>:
Extra info received and forwarded to list. Copy sent to Cajus Pollmeier <cajus@debian.org>. Full text and rfc822 format available.

Message #107 received at 402010@bugs.debian.org (full text, mbox):

From: Cajus Pollmeier <cajus@naasa.net>
To: sean finney <seanius@debian.org>
Cc: 402010@bugs.debian.org
Subject: Re: Bug#402010: How to deal with #402010?
Date: Sat, 5 Apr 2008 12:27:27 +0200
Am 05.04.2008 um 11:59 schrieb sean finney:
> hi,
>
> On Saturday 05 April 2008 11:26:14 am Cajus Pollmeier wrote:
>> The problem is that these aspects are not packagable as some kind of
>> "fire and forget" installation. I'd prefer the way Roland proposed,
>> using some kind of
>
> option 3 could work out of the box, though it just requires more  
> initial setup
> work to get right in the packaging.  i'm not saying it's the Right  
> Way, but
> it would provide the necessary compartmentalizing.

Well - I guess this information would be good for the README. You  
think about providing another apache init script + configs? Hmm. But  
gosa+php works with other webservers, too. So the packaging overhead  
might grow.

Or you force the use of apache-mpm-itk and let it run in a different  
vhost as a different user.

>> RequestHeader set FooPassword very-secret-credentials

> i suspect php users will still be able to find that out, in the same  
> way that
> they can read ssl private keys from the webserver's memory (you  
> *did* know
> they can do that, right? :)

Do you have more information about this? I guess this is only the case  
for unpatched php instances, isn't it?

Cheers,
Cajus




Reply sent to Cajus Pollmeier <cajus@naasa.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Finn-Arne Johansen <faj@bzz.no>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #112 received at 402010-done@bugs.debian.org (full text, mbox):

From: Cajus Pollmeier <cajus@naasa.net>
To: 402010-done@bugs.debian.org
Subject: Updated since the upload doesn't seem to handle Closes: #... correctly
Date: Mon, 12 May 2008 16:23:46 +0200
2.5.16-1 addressed this issue.




Bug marked as fixed in version 2.5.16-1. Request was from Raphael Geissert <atomo64@gmail.com> to control@bugs.debian.org. (Mon, 12 May 2008 20:30:07 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 10 Jun 2008 07:30:32 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 21:08:10 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.