On Monday 13 October 2008 21:03:36 you wrote: > From: Rafal Kupka <[EMAIL PROTECTED]> > To: Debian Bug Tracking System <[EMAIL PROTECTED]> > Subject: libldap2 reads from ~/.ldaprc and $PWD/ldaprc while running > privileged programs > Date: Fri, 11 Jun 2004 14:21:48 +0200 > Package: libldap2 > Version: 2.1.30-1 > Severity: normal > Tags: security > > This bug is visible in systems with libnss-ldap and libpam-ldap. > Even privileged programs (like su) read configuration file from users > home and current directory (follows symlinks too).
Ouch, I can't understand that I let this slip back then. I just checked the sources to OpenLDAP 2.4.11-1 and basically this report still applies. That is, libldap will gladly read $HOME/.ldaprc. The ldaprc in the current directory is not read for quite some time now, that misfeature was removed in 1998: http://www.openldap.org/devel/cvsweb.cgi/libraries/libldap/init.c.diff?r1=1.8&r2=1.9&hideattic=1&sortbydate=0&f=h Now, a ldaprc can be defined using the "LDAPRC" environment variable instead, which is not that much better. LDAPCONF will work as well. The RedHat fix can be found here, BTW: http://cvs.fedoraproject.org/viewvc/rpms/openldap/F-9/openldap-2.0.11-ldaprc.patch?revision=1.1&view=markup This completely disables the .ldaprc file, but LDAPRC and LDAPCONF environment variables would still work. I would like to apply a patch to disable LDAPRC, LDAPCONF and .ldaprc when the effective uid does not match the real uid. Comments? Torsten -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
