On Fri, Sep 15, 2006 at 08:58:06AM -0400, Stephen Frost wrote:
> Erm, is there some reason you don't have 'ssl on' in your config?
Nothing said it's neccessary, I thought the "ldaps://" URL is explicit
enough. And in fact TLS _is_ being used without "ssl on", just the
libnss-ldap-specific options are not being applied.
> I'm curious about this, are you sure a libldap would read an "ldaprc"
> file when run from a setuid program?
Yep:
# ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 32296 2006-08-25 19:49 /usr/bin/passwd
# mv /etc/ldap/ldap.conf /etc/ldap/ldap.conf.away
$ cd /tmp
$ passwd testuser
passwd: unknown user testuser
$ echo 'TLS_CACERT /etc/ssl/certs/ldapca.pem' > ldaprc
$ passwd testuser
passwd: You may not view or modify password information for testuser.
> Or that it'd read the
> current-directory ldaprc in that situation? Can you provide an strace
> showing this happening?
The interesting fragments:
execve("/usr/bin/passwd", ["passwd", "testuser"], [/* 16 vars */]) = 0
[...]
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
[...]
getuid32() = 1000
[...]
geteuid32() = 0
[...]
open("/etc/libnss-ldap.conf", O_RDONLY) = 3
[...]
open("/etc/ldap/ldap.conf", O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or
directory)
open("ldaprc", O_RDONLY|O_LARGEFILE) = 3
There is no path component in the last open(), so ldaprc is always read
from the current directory.
> Also, the user would have to have access to more than the ldaprc file,
> no? Since the user couldn't control what server is being connected to
> without more control on the system, or control over the DNS, etc.
True, but DNS poisoning is trivial (especially in a large local network
with lots of not-so-trusted machines). If I'd trust the network I'd have
no need for TLS at all...
Gabor
--
---------------------------------------------------------
MTA SZTAKI Computer and Automation Research Institute
Hungarian Academy of Sciences
---------------------------------------------------------
