forked from pool/openldap2
Accepting request 1031423 from network:ldap
OBS-URL: https://build.opensuse.org/request/show/1031423 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/openldap2?expand=0&rev=177
This commit is contained in:
commit
88f45b0e6f
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Sep 26 05:16:18 UTC 2022 - William Brown <william.brown@suse.com>
|
||||||
|
|
||||||
|
- bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user
|
||||||
|
to privilege escalate to root due to unbound chown commands.
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jul 14 21:22:41 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
Thu Jul 14 21:22:41 UTC 2022 - Michael Ströder <michael@stroeder.com>
|
||||||
|
|
||||||
|
@ -6,6 +6,23 @@ After=syslog.target network.target
|
|||||||
Type=forking
|
Type=forking
|
||||||
ExecStart=/usr/lib/openldap/start
|
ExecStart=/usr/lib/openldap/start
|
||||||
|
|
||||||
|
# Hardening to prevent security escalation.
|
||||||
|
## Future hardening for FS protection.
|
||||||
|
# ProtectSystem=full
|
||||||
|
# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap
|
||||||
|
|
||||||
|
RestrictSUIDSGID=true
|
||||||
|
NoNewPrivileges=true
|
||||||
|
PrivateTmp=true
|
||||||
|
PrivateDevices=true
|
||||||
|
ProtectHostname=true
|
||||||
|
ProtectClock=true
|
||||||
|
ProtectKernelTunables=true
|
||||||
|
ProtectKernelModules=true
|
||||||
|
ProtectKernelLogs=true
|
||||||
|
ProtectControlGroups=true
|
||||||
|
MemoryDenyWriteExecute=true
|
||||||
|
|
||||||
[Install]
|
[Install]
|
||||||
WantedBy=multi-user.target
|
WantedBy=multi-user.target
|
||||||
|
|
||||||
|
34
start
34
start
@ -80,11 +80,17 @@ depth=0;
|
|||||||
|
|
||||||
function chown_database_dirs_bconfig() {
|
function chown_database_dirs_bconfig() {
|
||||||
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
|
ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}')
|
||||||
for dir in $ldapdir; do
|
for dir in $(realpath ${ldapdir}); do
|
||||||
|
if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then
|
||||||
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
||||||
chown -R $OPENLDAP_USER $dir 2>/dev/null
|
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
|
||||||
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
||||||
chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
|
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
|
||||||
|
else
|
||||||
|
echo "Skipping chown -h of external directory for security reasons. You must manually run:"
|
||||||
|
echo "# chown -h -R $OPENLDAP_USER $dir"
|
||||||
|
echo "# chgrp -h -R $OPENLDAP_GROUP $dir"
|
||||||
|
fi
|
||||||
done
|
done
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -92,9 +98,9 @@ function chown_database_dirs() {
|
|||||||
ldapdir=`grep ^directory $1 | awk '{print $2}'`
|
ldapdir=`grep ^directory $1 | awk '{print $2}'`
|
||||||
for dir in $ldapdir; do
|
for dir in $ldapdir; do
|
||||||
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
[ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \
|
||||||
chown -R $OPENLDAP_USER $dir 2>/dev/null
|
chown -h -R $OPENLDAP_USER $dir 2>/dev/null
|
||||||
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
[ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \
|
||||||
chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null
|
chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null
|
||||||
done
|
done
|
||||||
includes=`grep ^include $1 | awk '{print $2}'`
|
includes=`grep ^include $1 | awk '{print $2}'`
|
||||||
if [ $depth -le 50 ]; then
|
if [ $depth -le 50 ]; then
|
||||||
@ -112,30 +118,30 @@ GROUP_CMD=""
|
|||||||
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
|
[ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf"
|
||||||
|
|
||||||
|
|
||||||
# chown backend directories if OPENLDAP_CHOWN_DIRS ist set
|
# chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set
|
||||||
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
|
if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then
|
||||||
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
|
if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then
|
||||||
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
|
if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then
|
||||||
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
||||||
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
||||||
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
||||||
# assume back-config usage if slapd.conf is not present but slapd.d is
|
# assume back-config usage if slapd.conf is not present but slapd.d is
|
||||||
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
|
elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then
|
||||||
chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null
|
||||||
chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null
|
||||||
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
chown_database_dirs_bconfig "/etc/openldap/slapd.d"
|
||||||
else
|
else
|
||||||
chown_database_dirs "/etc/openldap/slapd.conf"
|
chown_database_dirs "/etc/openldap/slapd.conf"
|
||||||
chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
|
chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null
|
||||||
fi
|
fi
|
||||||
if test -f /etc/sasl2/slapd.conf ; then
|
if test -f /etc/sasl2/slapd.conf ; then
|
||||||
chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
|
chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null
|
||||||
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
|
chmod 640 /etc/sasl2/slapd.conf 2>/dev/null
|
||||||
fi
|
fi
|
||||||
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
|
if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then
|
||||||
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
|
keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/}
|
||||||
if test -f $keytabfile ; then
|
if test -f $keytabfile ; then
|
||||||
chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null
|
chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null
|
||||||
chmod g+r $keytabfile 2>/dev/null
|
chmod g+r $keytabfile 2>/dev/null
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
@ -159,7 +165,7 @@ init_ldaps_listener_urls
|
|||||||
|
|
||||||
if [ ! -d $SLAPD_PID_DIR ]; then
|
if [ ! -d $SLAPD_PID_DIR ]; then
|
||||||
mkdir -p $SLAPD_PID_DIR
|
mkdir -p $SLAPD_PID_DIR
|
||||||
chown ldap:ldap $SLAPD_PID_DIR
|
chown -h ldap:ldap $SLAPD_PID_DIR
|
||||||
fi
|
fi
|
||||||
echo -n "Starting ldap-server"
|
echo -n "Starting ldap-server"
|
||||||
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
|
exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \
|
||||||
|
Loading…
Reference in New Issue
Block a user