1
0
forked from pool/openldap2

Accepting request 1031422 from home:firstyear:branches:network:ldap

- bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user
  to privilege escalate to root due to unbound chown commands.

OBS-URL: https://build.opensuse.org/request/show/1031422
OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=307
This commit is contained in:
William Brown 2022-10-27 01:27:25 +00:00 committed by Git OBS Bridge
parent 5c86a602e3
commit 8644a7376a
3 changed files with 43 additions and 14 deletions

View File

@ -1,3 +1,9 @@
-------------------------------------------------------------------
Mon Sep 26 05:16:18 UTC 2022 - William Brown <william.brown@suse.com>
- bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user
to privilege escalate to root due to unbound chown commands.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Jul 14 21:22:41 UTC 2022 - Michael Ströder <michael@stroeder.com> Thu Jul 14 21:22:41 UTC 2022 - Michael Ströder <michael@stroeder.com>

View File

@ -6,6 +6,23 @@ After=syslog.target network.target
Type=forking Type=forking
ExecStart=/usr/lib/openldap/start ExecStart=/usr/lib/openldap/start
# Hardening to prevent security escalation.
## Future hardening for FS protection.
# ProtectSystem=full
# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap
RestrictSUIDSGID=true
NoNewPrivileges=true
PrivateTmp=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
MemoryDenyWriteExecute=true
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target

34
start
View File

@ -80,11 +80,17 @@ depth=0;
function chown_database_dirs_bconfig() { function chown_database_dirs_bconfig() {
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}') ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
for dir in $ldapdir; do for dir in $(realpath ${ldapdir}); do
if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
chown -R $OPENLDAP_USER $dir 2>/dev/null chown -h -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
else
echo "Skipping chown -h of external directory for security reasons. You must manually run:"
echo "# chown -h -R $OPENLDAP_USER $dir"
echo "# chgrp -h -R $OPENLDAP_GROUP $dir"
fi
done done
} }
@ -92,9 +98,9 @@ function chown_database_dirs() {
ldapdir=`grep ^directory $1 | awk '{print $2}'` ldapdir=`grep ^directory $1 | awk '{print $2}'`
for dir in $ldapdir; do for dir in $ldapdir; do
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
chown -R $OPENLDAP_USER $dir 2>/dev/null chown -h -R $OPENLDAP_USER $dir 2>/dev/null
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
done done
includes=`grep ^include $1 | awk '{print $2}'` includes=`grep ^include $1 | awk '{print $2}'`
if [ $depth -le 50 ]; then if [ $depth -le 50 ]; then
@ -112,30 +118,30 @@ GROUP_CMD=""
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf" [ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
# chown backend directories if OPENLDAP_CHOWN_DIRS ist set # chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d" chown_database_dirs_bconfig "/etc/openldap/slapd.d"
# assume back-config usage if slapd.conf is not present but slapd.d is # assume back-config usage if slapd.conf is not present but slapd.d is
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
chown_database_dirs_bconfig "/etc/openldap/slapd.d" chown_database_dirs_bconfig "/etc/openldap/slapd.d"
else else
chown_database_dirs "/etc/openldap/slapd.conf" chown_database_dirs "/etc/openldap/slapd.conf"
chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
fi fi
if test -f /etc/sasl2/slapd.conf ; then if test -f /etc/sasl2/slapd.conf ; then
chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
fi fi
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/} keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
if test -f $keytabfile ; then if test -f $keytabfile ; then
chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null
chmod g+r $keytabfile 2>/dev/null chmod g+r $keytabfile 2>/dev/null
fi fi
fi fi
@ -159,7 +165,7 @@ init_ldaps_listener_urls
if [ ! -d $SLAPD_PID_DIR ]; then if [ ! -d $SLAPD_PID_DIR ]; then
mkdir -p $SLAPD_PID_DIR mkdir -p $SLAPD_PID_DIR
chown ldap:ldap $SLAPD_PID_DIR chown -h ldap:ldap $SLAPD_PID_DIR
fi fi
echo -n "Starting ldap-server" echo -n "Starting ldap-server"
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \ exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \