Full_Name: Moritz M.hlenhoff Version: 2.4.40 OS: Debian URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (91.96.145.189)

I setup a test system which made use of the slapo-auditlog overlay using these config options:

moduleload auditlog overlay auditlog auditlog /var/lib/ldap/slapd-audit.log

The /var/lib/ldap/slapd-audit.log was created with world-readable permissions, which constitutes a security issue since that file also logs sensitive attributes which are otherwise protected by ACLs (such as password hashes).

Proposed patch:

diff -aur openldap-2.4.40+dfsg.orig/servers/slapd/overlays/auditlog.c openldap-2.4.40+dfsg/rvrvers/slapd/overlays/auditlog.c --- openldap-2.4.40+dfsg.orig/servers/slapd/overlays/auditlog.c 2014-09-19 01:48:49.000000000 +0000 +++ openldap-2.4.40+dfsg/servers/slapd/overlays/auditlog.c 2015-12-02 11:08:24.331146770 +0000 @@ -121,6 121,7 @@

peername = op->o_conn->c_peer_name; ldap_pvt_thread_mutex_lock(&ad->ad_mutex); + umask(027); if((f = fopen(ad->ad_logfile, "a")) == NULL) { ldap_pvt_thread_mutex_unlock(&ad->ad_mutex); return SLAP_CB_CONTINUE;