--- Begin Message ---
Package: debian-edu-config
Version: 2.11.56
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
The LTSP netboot image produced by debian-edu-ltsp-install includes full copies
of files that should never leave the Debian Edu main server, if run on a so-called
"combined server" (a system using the Main Server and Terminal Server profiles,
as done in small installations).
Among these files are full copies of, among others:
- /var/lib/ldap, containing the full, unencrypted LDAP database with all
private information on all users, password hashes, and Kerberos keys
- /etc/krb5-kdc, containing information on decrypting Kerberos data in the
LDAP database
- /etc/gosa, containing the (encrypted) LDAP manager credentials, plus the
key to decrypt it
Any user with access to the local terminal server network can acquire the netboot
image, unauthenticated, and extract the listed information from it.
The issue is caused by the new LTSP system using the LTSP PnP system now in all
cases, thus packing the entire mai nserver filesystem in squashfs image. The
debian-edu-ltsp-install script produces a list of files to exclude from the image,
which is not sufficient, most probably because it was tailored to the use case where
the image is produced from a dedicated Terminal Server instead of a combined server.
IMHO, the use case of the combined server cannot be fixed. The new LTSP system de facto
disallows any use of a combiend server – even if we make a very carefully curated list
of excluded files, any administrator would have to take care to add their own excludes
for just about any file they place on the main server that was not palced there by the
Debian Edu software. In fact, the whole new LTSP system seems unfit to be used on any
server that is not limited to producing LTSP images, and supporting netbooting them.
For now, the issue should be mitigated by carefully adding all relevant paths that
are known to exist only on the main server to the exclude list, but I do not think
that is a viable fix in the long term.
--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.12.2
Done: Holger Levsen <holger@debian.org>
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 993935@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 15 Sep 2021 00:38:42 +0200
Source: debian-edu-config
Architecture: source
Version: 2.12.2
Distribution: unstable
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 993935
Changes:
debian-edu-config (2.12.2) unstable; urgency=medium
.
[ Wolfgang Schweer ]
* Adjust sbin/debian-edu-ltsp-install. (Closes: #993935)
Thanks to Dominik George for spotting and reporting the issue.
- Extend main server related exclude list.
- Add slapd and xrdp-sesman to the list of masked services.
- Ensure home directory access after above changes.
Checksums-Sha1:
e8f5af195c6185403a71eaa37dbc09d5f9728bd1 1922 debian-edu-config_2.12.2.dsc
ff5a155992bde85167cd3cc1b5e1ca957533dbaa 343340 debian-edu-config_2.12.2.tar.xz
c8bed0bc7dc389bdc9f6e50c880e983193d02d21 5545 debian-edu-config_2.12.2_source.buildinfo
Checksums-Sha256:
2d1fbc8921931965a54134121ef516fda7e520205513ef05f80f6e18e7736a20 1922 debian-edu-config_2.12.2.dsc
91167a44a866f105c818dde390ab45c767d29d652d7622a9a211aa6e90ace98f 343340 debian-edu-config_2.12.2.tar.xz
c127b4479854afc3527829b500e1415e2df48bf4625b5599612a777fb79d4aac 5545 debian-edu-config_2.12.2_source.buildinfo
Files:
167f8823288ad5907c0863b903ab124f 1922 misc optional debian-edu-config_2.12.2.dsc
b64e7d59de62ccb2385c439e9b4195c6 343340 misc optional debian-edu-config_2.12.2.tar.xz
68b703977a5c3cc8df7b7423665f467d 5545 misc optional debian-edu-config_2.12.2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmFBJLEACgkQCRq4Vgaa
qhw1mw/+MjSGBg++55v0eMxmNmpLT6Qs9fXjG567Edx1Q1AcWAZRjith3cw9m+Ug
68twRcgPWeefiUsZPdmyCxKPJTXiXzm/mbqEGxzHohWp0hQzmE39zX1lNJKBzNFy
dK8GJ/FhpSwavqDH5IRd90J3OA1hZVURWxfTkkUELT+bHuPXX5k3/Wh/f94GrS7C
ACUq1FzHA+fT5fTjHSBRGlfcchTAtyrjQa+rycITX02nwBNchWtNUN/AK/QbZvN8
dAMRpDNDkR8MAbYebQp8t0B896H/T+V7CA4Ad7D5mHdywSYhmojVicqFk3zjf05j
lJS55jaLbL6iYu+H40li6Ax9B3U4ZDsCERSyasGKUw9NRGk/EAY4LpkX+gwfa7mC
YazaEPFKuDzDoo35xsKn2YowkZoJUmHHIIQMMyU6GBkz9/8hGDvpnbxvxvvsyAaE
4aIh4zuXHu7yw0pAgctxfAHKOBgBlaSkolO4ziFxo+LohAJ85PHw3f/C0Y9S3c9J
9TdsSKV8chmtaMTkUf5fGDQ2SMpu0yuonE4W6KyiW0Pkw3YPJ4tZzT30oeodLTtJ
thCkTFY01JF4UGsQO3SOVIwH8w4i21m7mSvKiwZLAFLSerwEC0g5wSlUlFFW0u8R
yu4O0DmJmpJcdkNUKpXo1tRDSg7NYOi1I0d+3nIHdGsNFrlu+kc=
=4GLU
-----END PGP SIGNATURE-----
--- End Message ---