Re: (ITS#8328) Information leak in slapo-auditlog

moritz@wikimedia.org wrote:

Full_Name: Moritz M.hlenhoff Version: 2.4.40 OS: Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (91.96.145.189)

I setup a test system which made use of the slapo-auditlog overlay using these config options:

moduleload auditlog overlay auditlog auditlog /var/lib/ldap/slapd-audit.log

The /var/lib/ldap/slapd-audit.log was created with world-readable permissions, which constitutes a security issue since that file also logs sensitive attributes which are otherwise protected by ACLs (such as password hashes).

Proposed patch:

diff -aur openldap-2.4.40+dfsg.orig/servers/slapd/overlays/auditlog.c openldap-2.4.40+dfsg/rvrvers/slapd/overlays/auditlog.c --- openldap-2.4.40+dfsg.orig/servers/slapd/overlays/auditlog.c 2014-09-19 01:48:49.000000000 +0000 +++ openldap-2.4.40+dfsg/servers/slapd/overlays/auditlog.c 2015-12-02 11:08:24.331146770 +0000 @@ -121,6 121,7 @@

     peername = op->o_conn->c_peer_name;
     ldap_pvt_thread_mutex_lock(&ad->ad_mutex);

•   umask(027);
     if((f = fopen(ad->ad_logfile, "a")) == NULL) {
             ldap_pvt_thread_mutex_unlock(&ad->ad_mutex);
             return SLAP_CB_CONTINUE;
  
  
  
  

The patch is unacceptable, umask() is process-wide and persistent. No slapd code should be overriding any umask that may have been set when slapd was launched.

The correct fix for this is to set the desired umask in whatever startup script you use to start slapd. Closing this ITS.