****RE: ****Re: ****Re: Linux Administration - Users in (any) database howto/why...

Craig White craigwhite at azapple.com
Fri Jan 2 21:43:56 MST 2009


On Fri, 2009-01-02 at 21:08 -0700, Joe wrote:
> Sorry Craig, I had to jump in again. smbpasswd -w drives you crazy? From 
> the Eating Security page, this is what I was talking about eariler:
> 
> "Another file with a plain text password is /etc/ldap.secret. This file 
> must contain the rootdn password in plain text, but is again somewhat 
> mitigated with file permissions."
> 
> Help me out here. Doesn't that basically mean that the root id and 
> password will be in that file and all apps that use the directory 
> service can be compromised if that file is compromised? i.e. a 
> vulnerability in virus scanner, web server, email server, ....
> 
> I think there is some really good information on that page and want to 
> explore it further. I would love to have a centralized ldap server that 
> if one of the apps were compromised, all the others could remain safe.
> 
> I totally agree that one would need more than 2 ACL's, but those are 
> hard to write properly and understand the ramifications.
----
In my setups, the only app that uses /etc/ldap.secret is pam itself for
authentication. Yes, it is a flat file but so
is /etc/passwd, /etc/shadow.

No, the file only contains rootbinddn password and nothing else. Of
course the rootbinddn id is discoverable from /etc/ldap.conf which is
pretty much world readable to be useful.

Again, I pretty much allow anonymous binds for most everything so it's
easy enough for anyone, anywhere without authentication to get info from
most of LDAP...

ldapsearch -x -D '' '(mail=craig*)' #note -D '' means an empty bind

and get replies. This pretty much satisfies Postfix and Cyrus for mail
deliveries. I'm not sure where you're going with web server - I mean I
do use mod_authz_ldap but I just set it to 'require valid user' or
'require group' and let the user supply authentication information so
again, the only thing that uses /etc/ldap.secret is nss/pam.

As far as everything being compromised if the file is compromised - sure
- it gives you root level access - i.e. - you can set your own user id
to 0 if you wish. It's the same as cracking /etc/shadow or changing root
password. The thing that you fail to equate that booting into run level
1 which allows you to read the /etc/ldap.secret file also allows you to
do virtually everything else equivalent (change root password,
copy /etc/shadow to user space, install key-loggers, etc.) Basically,
the way I figger, if you have users booting to run level 1, your network
security has already been compromised.

Heck - if it were me and my mind set were to become super user and I
booted to run level 1, I wouldn't waste my time with /etc/ldap.secret at
all...I would just
copy /etc/shadow, /var/log/wtmp, /var/log/secure, /root/.bash_history to
somewhere safe, change root password, up the run level, do my dirty
work, replace the files I copied and reboot.

Craig



More information about the PLUG-discuss mailing list