Re: libnss-ldap/libpam-ldap security issue

[Russ Allbery <rra@debian.org>]

Brian May <bam@snoopy.debian.net> writes:

> Is there anyway to configure the ldap libraries not to read from
> $HOME/.ldaprc?

Well, you can set LDAPNOINIT or LDAPCONF.  It's even documented in
ldap.conf(5):

    Users may create an optional configuration file, ldaprc or .ldaprc, in
    their home directory which will be used to override the system-wide
    defaults file.  The file ldaprc in the current working directory is
    also used.

The last bit is particularly awesome.

I tried to convince upstream that this was a security concern and got
yelled at for my trouble until I gave up (although to be fair, upstream
did agree at least that reading files out of the current working directory
was a broken idea and they wouldn't do it if they were starting from
scratch now, but they didn't want to change the existing code).  As I
recall, the theory was that any software that cared about security needed
to override the library defaults anyway so it wouldn't matter if the
library read an untrusted initialization file, and I think I verified that
and that is indeed correct.  (Of course, that doesn't help against
segfaults in the config file parser.)  The NSS module got all the
necessary initializations the last time this came up, which addressed the
immediate concerns at the time the bug was raised, so nothing further
happened with the Debian OpenLDAP package.

This was a while back, so my memory may be wrong on the details.  Steve
might remember more.

The problem with just removing this code in the library is that it's also
how ldapsearch and friends get their defaults, which is actively used and
will break people's scripts if it goes away.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>