On Fri, 2009-01-02 at 21:08 -0700, Joe wrote: > Sorry Craig, I had to jump in again. smbpasswd -w drives you crazy? From > the Eating Security page, this is what I was talking about eariler: > > "Another file with a plain text password is /etc/ldap.secret. This file > must contain the rootdn password in plain text, but is again somewhat > mitigated with file permissions." > > Help me out here. Doesn't that basically mean that the root id and > password will be in that file and all apps that use the directory > service can be compromised if that file is compromised? i.e. a > vulnerability in virus scanner, web server, email server, .... > > I think there is some really good information on that page and want to > explore it further. I would love to have a centralized ldap server that > if one of the apps were compromised, all the others could remain safe. > > I totally agree that one would need more than 2 ACL's, but those are > hard to write properly and understand the ramifications. ---- In my setups, the only app that uses /etc/ldap.secret is pam itself for authentication. Yes, it is a flat file but so is /etc/passwd, /etc/shadow. No, the file only contains rootbinddn password and nothing else. Of course the rootbinddn id is discoverable from /etc/ldap.conf which is pretty much world readable to be useful. Again, I pretty much allow anonymous binds for most everything so it's easy enough for anyone, anywhere without authentication to get info from most of LDAP... ldapsearch -x -D '' '(mail=craig*)' #note -D '' means an empty bind and get replies. This pretty much satisfies Postfix and Cyrus for mail deliveries. I'm not sure where you're going with web server - I mean I do use mod_authz_ldap but I just set it to 'require valid user' or 'require group' and let the user supply authentication information so again, the only thing that uses /etc/ldap.secret is nss/pam. As far as everything being compromised if the file is compromised - sure - it gives you root level access - i.e. - you can set your own user id to 0 if you wish. It's the same as cracking /etc/shadow or changing root password. The thing that you fail to equate that booting into run level 1 which allows you to read the /etc/ldap.secret file also allows you to do virtually everything else equivalent (change root password, copy /etc/shadow to user space, install key-loggers, etc.) Basically, the way I figger, if you have users booting to run level 1, your network security has already been compromised. Heck - if it were me and my mind set were to become super user and I booted to run level 1, I wouldn't waste my time with /etc/ldap.secret at all...I would just copy /etc/shadow, /var/log/wtmp, /var/log/secure, /root/.bash_history to somewhere safe, change root password, up the run level, do my dirty work, replace the files I copied and reboot. Craig --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss