On Fri, 2009-01-02 at 21:08 -0700, Joe wrote:
> Sorry Craig, I had to jump in again. smbpasswd -w drives you crazy? From
> the Eating Security page, this is what I was talking about eariler:
>
> "Another file with a plain text password is /etc/ldap.secret. This file
> must contain the rootdn password in plain text, but is again somewhat
> mitigated with file permissions."
>
> Help me out here. Doesn't that basically mean that the root id and
> password will be in that file and all apps that use the directory
> service can be compromised if that file is compromised? i.e. a
> vulnerability in virus scanner, web server, email server, ....
>
> I think there is some really good information on that page and want to
> explore it further. I would love to have a centralized ldap server that
> if one of the apps were compromised, all the others could remain safe.
>
> I totally agree that one would need more than 2 ACL's, but those are
> hard to write properly and understand the ramifications.
----
In my setups, the only app that uses /etc/ldap.secret is pam itself for
authentication. Yes, it is a flat file but so
is /etc/passwd, /etc/shadow.
No, the file only contains rootbinddn password and nothing else. Of
course the rootbinddn id is discoverable from /etc/ldap.conf which is
pretty much world readable to be useful.
Again, I pretty much allow anonymous binds for most everything so it's
easy enough for anyone, anywhere without authentication to get info from
most of LDAP...
ldapsearch -x -D '' '(mail=craig*)' #note -D '' means an empty bind
and get replies. This pretty much satisfies Postfix and Cyrus for mail
deliveries. I'm not sure where you're going with web server - I mean I
do use mod_authz_ldap but I just set it to 'require valid user' or
'require group' and let the user supply authentication information so
again, the only thing that uses /etc/ldap.secret is nss/pam.
As far as everything being compromised if the file is compromised - sure
- it gives you root level access - i.e. - you can set your own user id
to 0 if you wish. It's the same as cracking /etc/shadow or changing root
password. The thing that you fail to equate that booting into run level
1 which allows you to read the /etc/ldap.secret file also allows you to
do virtually everything else equivalent (change root password,
copy /etc/shadow to user space, install key-loggers, etc.) Basically,
the way I figger, if you have users booting to run level 1, your network
security has already been compromised.
Heck - if it were me and my mind set were to become super user and I
booted to run level 1, I wouldn't waste my time with /etc/ldap.secret at
all...I would just
copy /etc/shadow, /var/log/wtmp, /var/log/secure, /root/.bash_history to
somewhere safe, change root password, up the run level, do my dirty
work, replace the files I copied and reboot.
Craig
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
(text/plain)