ldapscripts.passwd uses insecure permissions by default

Bug #1662164 reported by Dan Bishop on 2017-02-06
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ldapscripts (Debian)
Fix Released
Unknown
ldapscripts (Ubuntu)
Medium
Dan Bishop

Bug Description

When installing the ldapscripts package, the default "/etc/ldapscripts/ldapscripts.passwd" file is world readable!

It should only readable by root. The conf file also confirms that this file should NOT be world readable in the comments.

Seth Arnold (seth-arnold) wrote :

12.04 LTS:
-rw-r----- 1 root root 6 Jan 30 2012 /etc/ldapscripts/ldapscripts.passwd

14.04 LTS:
-rw-r----- 1 root root 6 Nov 24 2013 /etc/ldapscripts/ldapscripts.passwd

16.04 LTS:
-rw-r--r-- 1 root root 6 Jan 3 2016 /etc/ldapscripts/ldapscripts.passwd

16.10:
-rw-r--r-- 1 root root 6 Jan 3 2016 /etc/ldapscripts/ldapscripts.passwd

zesty:
-rw-r----- 1 root root 6 Dec 31 22:54 /etc/ldapscripts/ldapscripts.passwd

information type: Private Security → Public Security
Changed in ldapscripts (Debian):
status: Unknown → Fix Released
Seth Arnold (seth-arnold) wrote :

Thanks Dan, it looks like this was introduced with a switch from cdbs to dh packaging formats in Debian version 2.0.6-1 and fixed in Debian version 2.0.7-2. This patch appears to be sufficient to fix the issue:

https://bugs.debian.org/cgi-bin/bugreport.cgi?att=1;bug=834578;filename=ldapscripts.diff.txt;msg=10

Because this package is in Universe is it community-supported; could you try to prepare a debdiff to fix this issue? When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

Thanks

Dan Bishop (danbishop) wrote :

I think this is what is required...

The attachment "ldapscripts_2.0.6-1ubuntu2.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Tyler Hicks (tyhicks) wrote :

Hi Dan - Thanks so much for attaching the debdiff!

I've reviewed the debdiff and have some feedback:

1) Both Ubuntu 16.04 LTS and Ubuntu 16.10 are affected. If possible, a debdiff
   for each release would be appreciated.

2) The version used in the debdiff is incorrect. It should follow the
   guidelines described in section #2 here:

   https://wiki.ubuntu.com/SecurityTeam/UpdatePreparation#Packaging

   Ubuntu 16.04 LTS should use 2.0.6-1ubuntu1.16.04.1 and Ubuntu 16.10 should
   use 2.0.6-1ubuntu1.16.10.1

3) The distribution field in the changelog should be "xenial-security" instead
   of "xenial". The Ubuntu 16.10 debdiff would use "yakkety-security". This is
   described in section #3 in the same link as above.

4) The changelog contents should be more descriptive. It should follow the
   guidelines described in section #3 in the same link as above. Something like
   this would work:

  * SECURITY UPDATE: Incorrect permissions on the
    /etc/ldapscripts/ldapscripts.passwd file allow local attackers to read the
    contents (LP: #1662164)
    - debian/rules: Fix typo that prevented dh_fixperms from applying the
      correct ldapscripts.passwd permissions

5) You didn't mention what level of testing you performed. Were you able to
   verify that the file permissions were correct after installing the new
   package?

Please attach new debdiffs and mention the testing that you were able to
perform. Thanks again and don't hesitate to ask any questions!

Tyler Hicks (tyhicks) on 2017-02-10
Changed in ldapscripts (Ubuntu):
status: New → Incomplete
importance: Undecided → Medium
assignee: nobody → Dan Bishop (danbishop)
Tyler Hicks (tyhicks) wrote :

I've unsubscribed ubuntu-security-sponsors.

Dan, please resubscribe ubuntu-security-sponsors and set the status to 'NEW' when you're able to make the changes mentioned in comment #5. Thanks!

tags: added: patch-needswork
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.