Debian Bug report logs - #520476
libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing bindpw

version graph

Package: libnss-ldapd; Maintainer for libnss-ldapd is Arthur de Jong <adejong@debian.org>; Source for libnss-ldapd is src:nss-pam-ldapd.

Reported by: Leigh James <leigh@bms.qld.edu.au>

Date: Fri, 20 Mar 2009 04:36:02 UTC

Severity: important

Tags: security

Found in version nss-ldapd/0.6.7

Fixed in versions nss-ldapd/0.6.8, nss-ldapd/0.6.7.1

Done: Arthur de Jong <adejong@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#520476; Package libnss-ldapd. (Fri, 20 Mar 2009 04:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leigh James <leigh@bms.qld.edu.au>:
New Bug report received and forwarded. Copy sent to Arthur de Jong <adejong@debian.org>. (Fri, 20 Mar 2009 04:36:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Leigh James <leigh@bms.qld.edu.au>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing bindpw
Date: Fri, 20 Mar 2009 14:32:03 +1000
Package: libnss-ldapd
Version: 0.6.7
Severity: important


Hi, I believe there is a security issue with the default permissions on file /etc/nss-ldapd.conf
It is created as follows:
owner: root
group: root
mode: 644

My LDAP server requires authentication to access the posix user/group attributes,
but the clear text credentials I have provided to debconf are world-readable
when saved in this file. I suggest the following permissions as a new default:
owner: root
group: nslcd
mode: 640

I have not had time to check this in testing or unstable, but should this be
deployed to lenny as a security update? (both change the default and maybe prompt
the administrator to change the existing permissions?)

I am migrating from libnss-ldap, which has a debconf prompt to change the mode to 0600
if there's a password in it.

First bug, please don't flame too hard if I'm doing it wrong :)

- Leigh.


-- System Information:
Debian Release: 5.0
  APT prefers unstable
  APT policy: (20081028, 'unstable'), (990, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.28-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libnss-ldapd depends on:
ii  adduser               3.110              add and remove users and groups
ii  debconf [debconf-2.0] 1.5.24             Debian configuration management sy
ii  libc6                 2.7-18             GNU C Library: Shared libraries
ii  libkrb53              1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii  libldap-2.4-2         2.4.11-1           OpenLDAP libraries
ii  libsasl2-2            2.1.22.dfsg1-23    Cyrus SASL - authentication abstra

Versions of packages libnss-ldapd recommends:
pn  libpam-ldap                   <none>     (no description available)
pn  nscd                          <none>     (no description available)

libnss-ldapd suggests no packages.

-- debconf information:
* libnss-ldapd/ldap-base: dc=bms,dc=qld,dc=edu,dc=au
* libnss-ldapd/nsswitch: group, passwd, shadow
* libnss-ldapd/ldap-binddn: cn=authtest,ou=Users,dc=bms,dc=qld,dc=edu,dc=au
* libnss-ldapd/ldap-uris: ldaps://eddie.bms.qld.edu.au




Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#520476; Package libnss-ldapd. (Fri, 20 Mar 2009 12:15:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to 520476@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Fri, 20 Mar 2009 12:15:02 GMT) Full text and rfc822 format available.

Message #10 received at 520476@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Leigh James <leigh@bms.qld.edu.au>, 520476@bugs.debian.org
Subject: Re: Bug#520476: libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing bindpw
Date: Fri, 20 Mar 2009 13:13:36 +0100
[Message part 1 (text/plain, inline)]
tags 520476 + pending
thanks

On Fri, 2009-03-20 at 14:32 +1000, Leigh James wrote:
> Hi, I believe there is a security issue with the default permissions
> on file /etc/nss-ldapd.conf It is created as follows:
> owner: root
> group: root
> mode: 644
>
> My LDAP server requires authentication to access the posix user/group
> attributes, but the clear text credentials I have provided to debconf
> are world-readable when saved in this file. I suggest the following
> permissions as a new default:
> owner: root
> group: nslcd
> mode: 640

Thanks for your report. This has been a TODO item in the package
configuration that has now been fixed. A patch is available here:
http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-ldapd/debian/libnss-ldapd.postinst?r1=795&r2=813

It changes permissions to 600 if the package is installed with a
password in it or if it's reconfigured width dpkg-reconfigure.

Additionally this patch:
http://arthurenhella.demon.nl/viewvc/nss-ldapd/nss-ldapd/man/nss-ldapd.conf.5.xml?r1=805&r2=806
mentions setting proper permissions in the manual page.

> I have not had time to check this in testing or unstable, but should
> this be deployed to lenny as a security update? (both change the
> default and maybe prompt the administrator to change the existing
> permissions?)

I will contact the security team to see if an updated package for lenny
is needed (will update this bug accordingly).

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Tags added: pending Request was from Arthur de Jong <adejong@debian.org> to control@bugs.debian.org. (Fri, 20 Mar 2009 12:18:04 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Arthur de Jong <adejong@debian.org>:
Bug#520476; Package libnss-ldapd. (Sat, 21 Mar 2009 13:06:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to 520476@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Arthur de Jong <adejong@debian.org>. (Sat, 21 Mar 2009 13:06:06 GMT) Full text and rfc822 format available.

Message #17 received at 520476@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: Leigh James <leigh@bms.qld.edu.au>
Cc: 520476 <520476@bugs.debian.org>
Subject: Re: Bug#520476: libnss-ldapd: /etc/nss-ldapd.conf is created world-readable, exposing bindpw
Date: Sat, 21 Mar 2009 14:03:30 +0100
[Message part 1 (text/plain, inline)]
tags 520476 + security
thanks

On Fri, 2009-03-20 at 13:13 +0100, Arthur de Jong wrote:
> Thanks for your report. This has been a TODO item in the package
> configuration that has now been fixed.
[...]
> It changes permissions to 600 if the package is installed with a
> password in it or if it's reconfigured width dpkg-reconfigure.

After discussing this with the Debian security team I will make a
slightly different solution that would always set the permissions of the
file so that it is no longer world-readable.

I will prepare an updated package.

-- 
-- arthur - adejong@debian.org - http://people.debian.org/~adejong --
[signature.asc (application/pgp-signature, inline)]

Tags added: security Request was from Arthur de Jong <adejong@debian.org> to control@bugs.debian.org. (Sat, 21 Mar 2009 13:06:07 GMT) Full text and rfc822 format available.

Reply sent to Arthur de Jong <adejong@debian.org>:
You have taken responsibility. (Sun, 22 Mar 2009 22:48:14 GMT) Full text and rfc822 format available.

Notification sent to Leigh James <leigh@bms.qld.edu.au>:
Bug acknowledged by developer. (Sun, 22 Mar 2009 22:48:14 GMT) Full text and rfc822 format available.

Message #24 received at 520476-close@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 520476-close@bugs.debian.org
Subject: Bug#520476: fixed in nss-ldapd 0.6.8
Date: Sun, 22 Mar 2009 22:17:03 +0000
Source: nss-ldapd
Source-Version: 0.6.8

We believe that the bug you reported is fixed in the latest version of
nss-ldapd, which is due to be installed in the Debian FTP archive:

libnss-ldapd_0.6.8_i386.deb
  to pool/main/n/nss-ldapd/libnss-ldapd_0.6.8_i386.deb
nss-ldapd_0.6.8.dsc
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.8.dsc
nss-ldapd_0.6.8.tar.gz
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.8.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520476@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <adejong@debian.org> (supplier of updated nss-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 Mar 2009 22:00:00 +0100
Source: nss-ldapd
Binary: libnss-ldapd
Architecture: source i386
Version: 0.6.8
Distribution: unstable
Urgency: high
Maintainer: Arthur de Jong <adejong@debian.org>
Changed-By: Arthur de Jong <adejong@debian.org>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
Closes: 520476
Changes: 
 nss-ldapd (0.6.8) unstable; urgency=high
 .
   * SECURITY FIX: the nss-ldapd.conf file that is installed was created
                   world-readable which could cause problems if the bindpw
                   option is used
                   this has been fixed and warnings have been added to the
                   manual page and sample nss-ldapd.conf (closes: #520476)
   * clean the environment and set LDAPNOINIT to disable parsing of LDAP
     configuration files (.ldaprc, /etc/ldap/ldap.conf, etc)
   * remove sslpath option because it wasn't used
   * correctly set SSL/TLS options when using StartTLS
   * rename the tls_checkpeer option to tls_reqcert, deprecating the old name
     and supporting all values that OpenLDAP supports
   * allow backslashes in user and group names execpt as first or last
     character
   * check user and group names against LOGIN_NAME_MAX if it is defined
   * fix for getpeercred() on Solaris by David Bartley
   * debian/control: change section to admin to follow change in override file
   * add lintian override for missing shlibs and symbols control files (we are
     a shared library that should not be directly linked to)
   * upgrade to standards-version 3.8.1 (no changes needed)
   * upgrade to debhelper compatibility level 7
Checksums-Sha1: 
 6af35928ff9317529bf4c9a1b40b3797ded8729f 983 nss-ldapd_0.6.8.dsc
 2020b2525bc2d85f2eafb117b11d03f110b020a0 380329 nss-ldapd_0.6.8.tar.gz
 fc86ba2d0c176d205c19eb84bdafaae466ec4e49 110760 libnss-ldapd_0.6.8_i386.deb
Checksums-Sha256: 
 89b236aaede3a68136afacd2c31794f5f1e71a674d4d4830a2dd2a81c63d897e 983 nss-ldapd_0.6.8.dsc
 9e1e44a2dcce2851deb8a402a8aabc5163f2bf26f4476109b3dbab7a230a54ac 380329 nss-ldapd_0.6.8.tar.gz
 3f5705bccefaf813e76a081a48a3def57f50a40c76fc1056f374ffa8e3c3c7ad 110760 libnss-ldapd_0.6.8_i386.deb
Files: 
 55de553c7b936984690dca53973b6eb1 983 admin extra nss-ldapd_0.6.8.dsc
 001c9ce2a35e80ea5bd93cb6d1109432 380329 admin extra nss-ldapd_0.6.8.tar.gz
 22d3559f935e1a0794eadf870fe3305a 110760 admin extra libnss-ldapd_0.6.8_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknGs14ACgkQVYan35+NCKe6mwCbBcMQlmTt9AvN8g+3gv/P9Fx1
AIkAoLHmCnOkbuPPppuTrGpLO3YHvEYl
=r1L7
-----END PGP SIGNATURE-----





Reply sent to Arthur de Jong <adejong@debian.org>:
You have taken responsibility. (Thu, 02 Apr 2009 14:12:03 GMT) Full text and rfc822 format available.

Notification sent to Leigh James <leigh@bms.qld.edu.au>:
Bug acknowledged by developer. (Thu, 02 Apr 2009 14:12:03 GMT) Full text and rfc822 format available.

Message #29 received at 520476-close@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 520476-close@bugs.debian.org
Subject: Bug#520476: fixed in nss-ldapd 0.6.7.1
Date: Thu, 02 Apr 2009 13:54:03 +0000
Source: nss-ldapd
Source-Version: 0.6.7.1

We believe that the bug you reported is fixed in the latest version of
nss-ldapd, which is due to be installed in the Debian FTP archive:

libnss-ldapd_0.6.7.1_i386.deb
  to pool/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_i386.deb
nss-ldapd_0.6.7.1.dsc
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.7.1.dsc
nss-ldapd_0.6.7.1.tar.gz
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.7.1.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520476@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <adejong@debian.org> (supplier of updated nss-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Mar 2009 10:43:17 +0100
Source: nss-ldapd
Binary: libnss-ldapd
Architecture: source i386
Version: 0.6.7.1
Distribution: stable-security
Urgency: high
Maintainer: Arthur de Jong <adejong@debian.org>
Changed-By: Arthur de Jong <adejong@debian.org>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
Closes: 520476
Changes: 
 nss-ldapd (0.6.7.1) stable-security; urgency=high
 .
   * security upload
   * fix the permissions of /etc/nss-ldapd.conf to not be world readable
     (file can be used to store LDAP password) (closes: #520476)
Checksums-Sha1: 
 3f447686b85f17fc4029a1cb14710166266f5bf5 996 nss-ldapd_0.6.7.1.dsc
 3c8fb8bca88e13ba1206c0058d86bcf96c5d5a2c 373338 nss-ldapd_0.6.7.1.tar.gz
 cd21e38a949914b161fc8bf60df9303ac2358e1a 109212 libnss-ldapd_0.6.7.1_i386.deb
Checksums-Sha256: 
 5f9ca7e56a2c8ca260965c575298669d45796f6dc57dd8d4f5044d56b69edb91 996 nss-ldapd_0.6.7.1.dsc
 f00458342e4809485dd86b5c72f6f76398015a3e6dee6760496631d904641e52 373338 nss-ldapd_0.6.7.1.tar.gz
 8acdfde05a7679fda7109799ddd901379668e852d464d24701497391d92bfd07 109212 libnss-ldapd_0.6.7.1_i386.deb
Files: 
 31232235dc6d5e0abb448e56f5f6f8ad 996 net extra nss-ldapd_0.6.7.1.dsc
 4cf1160a9626c51ee584f5b66ae1d33a 373338 net extra nss-ldapd_0.6.7.1.tar.gz
 d8245739c6796420c11ed945f9300cfe 109212 net extra libnss-ldapd_0.6.7.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknP1qkACgkQVYan35+NCKfOkQCg6sUhIrcXai7Ew8uwsVDqwSRl
sc8An2yaZ1nl4M/GqSBBGgvumhE3Qor8
=oHCH
-----END PGP SIGNATURE-----





Reply sent to Arthur de Jong <adejong@debian.org>:
You have taken responsibility. (Sat, 11 Apr 2009 17:18:16 GMT) Full text and rfc822 format available.

Notification sent to Leigh James <leigh@bms.qld.edu.au>:
Bug acknowledged by developer. (Sat, 11 Apr 2009 17:18:16 GMT) Full text and rfc822 format available.

Message #34 received at 520476-close@bugs.debian.org (full text, mbox):

From: Arthur de Jong <adejong@debian.org>
To: 520476-close@bugs.debian.org
Subject: Bug#520476: fixed in nss-ldapd 0.6.7.1
Date: Sat, 11 Apr 2009 16:47:32 +0000
Source: nss-ldapd
Source-Version: 0.6.7.1

We believe that the bug you reported is fixed in the latest version of
nss-ldapd, which is due to be installed in the Debian FTP archive:

libnss-ldapd_0.6.7.1_i386.deb
  to pool/main/n/nss-ldapd/libnss-ldapd_0.6.7.1_i386.deb
nss-ldapd_0.6.7.1.dsc
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.7.1.dsc
nss-ldapd_0.6.7.1.tar.gz
  to pool/main/n/nss-ldapd/nss-ldapd_0.6.7.1.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 520476@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Arthur de Jong <adejong@debian.org> (supplier of updated nss-ldapd package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Mar 2009 10:43:17 +0100
Source: nss-ldapd
Binary: libnss-ldapd
Architecture: source i386
Version: 0.6.7.1
Distribution: stable-security
Urgency: high
Maintainer: Arthur de Jong <adejong@debian.org>
Changed-By: Arthur de Jong <adejong@debian.org>
Description: 
 libnss-ldapd - NSS module for using LDAP as a naming service
Closes: 520476
Changes: 
 nss-ldapd (0.6.7.1) stable-security; urgency=high
 .
   * security upload
   * fix the permissions of /etc/nss-ldapd.conf to not be world readable
     (file can be used to store LDAP password) (closes: #520476)
Checksums-Sha1: 
 3f447686b85f17fc4029a1cb14710166266f5bf5 996 nss-ldapd_0.6.7.1.dsc
 3c8fb8bca88e13ba1206c0058d86bcf96c5d5a2c 373338 nss-ldapd_0.6.7.1.tar.gz
 cd21e38a949914b161fc8bf60df9303ac2358e1a 109212 libnss-ldapd_0.6.7.1_i386.deb
Checksums-Sha256: 
 5f9ca7e56a2c8ca260965c575298669d45796f6dc57dd8d4f5044d56b69edb91 996 nss-ldapd_0.6.7.1.dsc
 f00458342e4809485dd86b5c72f6f76398015a3e6dee6760496631d904641e52 373338 nss-ldapd_0.6.7.1.tar.gz
 8acdfde05a7679fda7109799ddd901379668e852d464d24701497391d92bfd07 109212 libnss-ldapd_0.6.7.1_i386.deb
Files: 
 31232235dc6d5e0abb448e56f5f6f8ad 996 net extra nss-ldapd_0.6.7.1.dsc
 4cf1160a9626c51ee584f5b66ae1d33a 373338 net extra nss-ldapd_0.6.7.1.tar.gz
 d8245739c6796420c11ed945f9300cfe 109212 net extra libnss-ldapd_0.6.7.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAknP1qkACgkQVYan35+NCKfOkQCg6sUhIrcXai7Ew8uwsVDqwSRl
sc8An2yaZ1nl4M/GqSBBGgvumhE3Qor8
=oHCH
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 10 May 2009 07:35:07 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 11:43:14 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.