--- Begin Message ---
Package: debian-edu-config
Version: 2.11.56
Severity: critical
Tags: security
Justification: root security hole
X-Debbugs-Cc: Debian Security Team <team@security.debian.org>
The LTSP netboot image produced by debian-edu-ltsp-install includes full copies
of files that should never leave the Debian Edu main server, if run on a so-called
"combined server" (a system using the Main Server and Terminal Server profiles,
as done in small installations).
Among these files are full copies of, among others:
- /var/lib/ldap, containing the full, unencrypted LDAP database with all
private information on all users, password hashes, and Kerberos keys
- /etc/krb5-kdc, containing information on decrypting Kerberos data in the
LDAP database
- /etc/gosa, containing the (encrypted) LDAP manager credentials, plus the
key to decrypt it
Any user with access to the local terminal server network can acquire the netboot
image, unauthenticated, and extract the listed information from it.
The issue is caused by the new LTSP system using the LTSP PnP system now in all
cases, thus packing the entire mai nserver filesystem in squashfs image. The
debian-edu-ltsp-install script produces a list of files to exclude from the image,
which is not sufficient, most probably because it was tailored to the use case where
the image is produced from a dedicated Terminal Server instead of a combined server.
IMHO, the use case of the combined server cannot be fixed. The new LTSP system de facto
disallows any use of a combiend server – even if we make a very carefully curated list
of excluded files, any administrator would have to take care to add their own excludes
for just about any file they place on the main server that was not palced there by the
Debian Edu software. In fact, the whole new LTSP system seems unfit to be used on any
server that is not limited to producing LTSP images, and supporting netbooting them.
For now, the issue should be mitigated by carefully adding all relevant paths that
are known to exist only on the main server to the exclude list, but I do not think
that is a viable fix in the long term.
--- End Message ---
--- Begin Message ---
Source: debian-edu-config
Source-Version: 2.11.56+deb11u1
Done: Holger Levsen <holger@debian.org>
We believe that the bug you reported is fixed in the latest version of
debian-edu-config, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 993935@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 28 Sep 2021 16:32:20 +0200
Source: debian-edu-config
Architecture: source
Version: 2.11.56+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Edu Developers <debian-edu@lists.debian.org>
Changed-By: Holger Levsen <holger@debian.org>
Closes: 993935
Changes:
debian-edu-config (2.11.56+deb11u1) bullseye; urgency=medium
.
[ Wolfgang Schweer ]
* Adjust sbin/debian-edu-ltsp-install. (Closes: #993935)
Thanks to Dominik George for spotting and reporting the issue.
- Extend main server related exclude list.
- Add slapd and xrdp-sesman to the list of masked services.
- Ensure home directory access after above changes.
Checksums-Sha1:
8bff85b5ab93948a087438b50d29d727463c4f8d 1958 debian-edu-config_2.11.56+deb11u1.dsc
1f62b24876e5a1f8694ab05cc08577e57d46903d 342544 debian-edu-config_2.11.56+deb11u1.tar.xz
3ec9bf7f7b1a33f3d79dd1d79bedeb68fe6953ca 5668 debian-edu-config_2.11.56+deb11u1_source.buildinfo
Checksums-Sha256:
1fa4102ff6af3b1cc828d34b1956b148fd901f589e7cc29601bde7d00177ea49 1958 debian-edu-config_2.11.56+deb11u1.dsc
3a9e0069a0d2afda2c924b7ee6b42f3e6a9fd1017a5b07c3d8fc02c5616ce523 342544 debian-edu-config_2.11.56+deb11u1.tar.xz
e491cb8ad8b9d2a928d228743b75d825dbf8a12f8a88e17cadca0fa2cec58a18 5668 debian-edu-config_2.11.56+deb11u1_source.buildinfo
Files:
8e674411f76e19e363e5ec9d8cca7364 1958 misc optional debian-edu-config_2.11.56+deb11u1.dsc
0e8548a277e1e28752ab5a406758b8dd 342544 misc optional debian-edu-config_2.11.56+deb11u1.tar.xz
d4c688f74a4854bd44727621b4a3387c 5668 misc optional debian-edu-config_2.11.56+deb11u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmFTRGwACgkQCRq4Vgaa
qhwvixAApojujVN516egDOGiLn/lrl90C5jve1kpwVf/MhMDA/XpuE3gjh6+GxK0
xpycDAVdyejzr3G4osfscNHvJkUNxw3Ak5YP7iCtc3FnY4nsCwk/0KKhgn7Ym8/+
WzmMYmUIAZDddcinRh20E4Wsp3mrVczhNZAzSWHmGYgx27ay84dfhXToHixlJ4oq
0cuXYefDlv5EDHI2dvHj1jMcl5XbRtnIsS7vEfuMGIBE/yXPgkjzUMoE8limPMkW
C4Vp9RTCXUTU9M8mqf1uln+F+0NV3WmEXF7HeE5fPPVxkRcMz3sGB7X+qQtb+4ft
X4Lj822U0L9Gidv05rRJKA+VFJeZPpQ1us6zYnhp2hKmcutiZl2BNLEyTRjdAc4m
BLdZeWF4L4knkZa70zKBaY2h8p5swjwZLgCvWJ+7DFYTc5IpCFIezktxiMICJoWT
GNJteAVGm2Sb9LvBcNgtd0kw3QctkYyikqv1TEs7hmY6GMbo64jPwDJIbGwAEDjW
8mZ8Yge0fDpYzJ+bcAjjE6m/Iov1ZPo7svmrzOWYkflq3PkfArV31I74se9st7rb
1c8hPFkIz4oiQiqVLjPUoFCTFzmKinsf8hxvaY0ooi1sp5EpMI+oZePOHiLAysEe
2cwlCEucXH0T9dWZ1DU+Jcj5xddlE/ygaUibNL/C/eBZt80bWpw=
=Rw5d
-----END PGP SIGNATURE-----
--- End Message ---