Package: libnss-ldapd Version: 0.6.7 Severity: important
Hi, I believe there is a security issue with the default permissions on file /etc/nss-ldapd.conf It is created as follows: owner: root group: root mode: 644 My LDAP server requires authentication to access the posix user/group attributes, but the clear text credentials I have provided to debconf are world-readable when saved in this file. I suggest the following permissions as a new default: owner: root group: nslcd mode: 640 I have not had time to check this in testing or unstable, but should this be deployed to lenny as a security update? (both change the default and maybe prompt the administrator to change the existing permissions?) I am migrating from libnss-ldap, which has a debconf prompt to change the mode to 0600 if there's a password in it. First bug, please don't flame too hard if I'm doing it wrong :) - Leigh. -- System Information: Debian Release: 5.0 APT prefers unstable APT policy: (20081028, 'unstable'), (990, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.28-1-amd64 (SMP w/2 CPU cores) Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libnss-ldapd depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy ii libc6 2.7-18 GNU C Library: Shared libraries ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries ii libldap-2.4-2 2.4.11-1 OpenLDAP libraries ii libsasl2-2 2.1.22.dfsg1-23 Cyrus SASL - authentication abstra Versions of packages libnss-ldapd recommends: pn libpam-ldap <none> (no description available) pn nscd <none> (no description available) libnss-ldapd suggests no packages. -- debconf information: * libnss-ldapd/ldap-base: dc=bms,dc=qld,dc=edu,dc=au * libnss-ldapd/nsswitch: group, passwd, shadow * libnss-ldapd/ldap-binddn: cn=authtest,ou=Users,dc=bms,dc=qld,dc=edu,dc=au * libnss-ldapd/ldap-uris: ldaps://eddie.bms.qld.edu.au -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
