On Mon, Oct 13, 2008 at 10:18:19PM +0200, Torsten Landschoff wrote:
> On Monday 13 October 2008 21:03:36 you wrote:
> > From: Rafal Kupka <[EMAIL PROTECTED]>
> > To: Debian Bug Tracking System <[EMAIL PROTECTED]>
> > Subject: libldap2 reads from ~/.ldaprc and $PWD/ldaprc while running
> > privileged programs
> > Date: Fri, 11 Jun 2004 14:21:48 +0200
> > Package: libldap2
> > Version: 2.1.30-1
> > Severity: normal
> > Tags: security
> >
> > This bug is visible in systems with libnss-ldap and libpam-ldap.
> > Even privileged programs (like su) read configuration file from users
> > home and current directory (follows symlinks too).
>
> Ouch, I can't understand that I let this slip back then. I just checked the
> sources to OpenLDAP 2.4.11-1 and basically this report still applies.
>
> That is, libldap will gladly read $HOME/.ldaprc. The ldaprc in the current
> directory is not read for quite some time now, that misfeature was removed in
> 1998:
> http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/init.c.diff?r1=1.8&r2=1.9&hideattic=1&sortbydate=0&f=h
> Now, a ldaprc can be defined using the "LDAPRC" environment variable instead,
> which is not that much better. LDAPCONF will work as well.
>
> The RedHat fix can be found here, BTW:
> http://cvs.fedoraproject.org/viewvc/rpms/openldap/F-9/openldap-2.0.11-ldaprc.patch?revision=1.1&view=markup
>
> This completely disables the .ldaprc file, but LDAPRC and LDAPCONF
> environment
> variables would still work.
>
> I would like to apply a patch to disable LDAPRC, LDAPCONF and .ldaprc when
> the
> effective uid does not match the real uid.
Sounds like a good plan. What's the status of this fix for Lenny?
Cheers,
Moritz
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
