From 8644a7376a1d4b539d36ad5148d8327f5e901e3f871c731de9f5e632aee6cca1 Mon Sep 17 00:00:00 2001 From: William Brown Date: Thu, 27 Oct 2022 01:27:25 +0000 Subject: [PATCH] Accepting request 1031422 from home:firstyear:branches:network:ldap - bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user to privilege escalate to root due to unbound chown commands. OBS-URL: https://build.opensuse.org/request/show/1031422 OBS-URL: https://build.opensuse.org/package/show/network:ldap/openldap2?expand=0&rev=307 --- openldap2.changes | 6 ++++++ slapd.service | 17 +++++++++++++++++ start | 34 ++++++++++++++++++++-------------- 3 files changed, 43 insertions(+), 14 deletions(-) diff --git a/openldap2.changes b/openldap2.changes index fc7f6da..d2b9a6d 100644 --- a/openldap2.changes +++ b/openldap2.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Sep 26 05:16:18 UTC 2022 - William Brown + +- bsc#1202931 - CVE-2022-31253 - Openldap start script allowed the ldap user + to privilege escalate to root due to unbound chown commands. + ------------------------------------------------------------------- Thu Jul 14 21:22:41 UTC 2022 - Michael Ströder diff --git a/slapd.service b/slapd.service index 81ba83d..44bacdb 100644 --- a/slapd.service +++ b/slapd.service @@ -6,6 +6,23 @@ After=syslog.target network.target Type=forking ExecStart=/usr/lib/openldap/start +# Hardening to prevent security escalation. +## Future hardening for FS protection. +# ProtectSystem=full +# ReadWritePaths=/etc/openldap/slapd.d /var/lib/ldap + +RestrictSUIDSGID=true +NoNewPrivileges=true +PrivateTmp=true +PrivateDevices=true +ProtectHostname=true +ProtectClock=true +ProtectKernelTunables=true +ProtectKernelModules=true +ProtectKernelLogs=true +ProtectControlGroups=true +MemoryDenyWriteExecute=true + [Install] WantedBy=multi-user.target diff --git a/start b/start index 5bd94e7..7bb6973 100644 --- a/start +++ b/start @@ -80,11 +80,17 @@ depth=0; function chown_database_dirs_bconfig() { ldapdir=$(find $1 -type f -name "olcDatabase*" | xargs grep -i olcdbdirectory | awk '{print $2}') - for dir in $ldapdir; do + for dir in $(realpath ${ldapdir}); do + if [[ $dir =~ ^/var/lib/ldap$|^/var/lib/ldap/.* ]]; then [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ - chown -R $OPENLDAP_USER $dir 2>/dev/null + chown -h -R $OPENLDAP_USER $dir 2>/dev/null [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ - chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null + chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null + else + echo "Skipping chown -h of external directory for security reasons. You must manually run:" + echo "# chown -h -R $OPENLDAP_USER $dir" + echo "# chgrp -h -R $OPENLDAP_GROUP $dir" + fi done } @@ -92,9 +98,9 @@ function chown_database_dirs() { ldapdir=`grep ^directory $1 | awk '{print $2}'` for dir in $ldapdir; do [ -d "$dir" ] && [ -n "$OPENLDAP_USER" ] && \ - chown -R $OPENLDAP_USER $dir 2>/dev/null + chown -h -R $OPENLDAP_USER $dir 2>/dev/null [ -d "$dir" ] && [ -n "$OPENLDAP_GROUP" ] && \ - chgrp -R $OPENLDAP_GROUP $dir 2>/dev/null + chgrp -h -R $OPENLDAP_GROUP $dir 2>/dev/null done includes=`grep ^include $1 | awk '{print $2}'` if [ $depth -le 50 ]; then @@ -112,30 +118,30 @@ GROUP_CMD="" [ ! "x$OPENLDAP_CONFIG_BACKEND" = "xldap" ] && SLAPD_CONFIG_ARG="-f /etc/openldap/slapd.conf" -# chown backend directories if OPENLDAP_CHOWN_DIRS ist set +# chown -h backend directories if OPENLDAP_CHOWN_DIRS ist set if [ "$(echo "$OPENLDAP_CHOWN_DIRS" | tr 'A-Z' 'a-z')" = "yes" ]; then if [ -n "$OPENLDAP_USER" -o -n "$OPENLDAP_GROUP" ]; then if [ -n "$OPENLDAP_CONFIG_BACKEND" -a "$OPENLDAP_CONFIG_BACKEND" = "ldap" ]; then - chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null - chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null + chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null + chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null chown_database_dirs_bconfig "/etc/openldap/slapd.d" # assume back-config usage if slapd.conf is not present but slapd.d is elif [ ! -f /etc/openldap/slapd.conf -a /etc/openldap/slapd.d ]; then - chown -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null - chgrp -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null + chown -h -R $OPENLDAP_USER /etc/openldap/slapd.d 2>/dev/null + chgrp -h -R $OPENLDAP_GROUP /etc/openldap/slapd.d 2>/dev/null chown_database_dirs_bconfig "/etc/openldap/slapd.d" else chown_database_dirs "/etc/openldap/slapd.conf" - chgrp $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null + chgrp -h $OPENLDAP_GROUP /etc/openldap/slapd.conf 2>/dev/null fi if test -f /etc/sasl2/slapd.conf ; then - chgrp $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null + chgrp -h $OPENLDAP_GROUP /etc/sasl2/slapd.conf 2>/dev/null chmod 640 /etc/sasl2/slapd.conf 2>/dev/null fi if [ -n "$OPENLDAP_KRB5_KEYTAB" ]; then keytabfile=${OPENLDAP_KRB5_KEYTAB/#FILE:/} if test -f $keytabfile ; then - chgrp $OPENLDAP_GROUP $keytabfile 2>/dev/null + chgrp -h $OPENLDAP_GROUP $keytabfile 2>/dev/null chmod g+r $keytabfile 2>/dev/null fi fi @@ -159,7 +165,7 @@ init_ldaps_listener_urls if [ ! -d $SLAPD_PID_DIR ]; then mkdir -p $SLAPD_PID_DIR - chown ldap:ldap $SLAPD_PID_DIR + chown -h ldap:ldap $SLAPD_PID_DIR fi echo -n "Starting ldap-server" exec $SLAPD_BIN -h "$LDAP_URLS $LDAPS_URLS $LDAPI_URLS" \