[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Please review text for security warning

Ryan Tandy wrote:
> Template: slapd/backend
> Type: select
> Choices: BDB, HDB, MDB
> Default: MDB
> _Description: Database backend to use:
>  HDB and BDB use similar storage formats, but HDB adds support for
>  subtree renames. Both support the same configuration options.
>  .
>  The MDB backend is recommended. MDB uses a new storage format and
>  requires less configuration than BDB or HDB.
>  .
>  In any case, you should review the resulting database configuration for
>  your needs. See /usr/share/doc/slapd/README.Debian.gz for more details.

Ah, changed recommendation.  Yes, still makes sense.
> Template: slapd/unsafe_selfwrite_acl
> Type: note
> #flag:comment:3
> # Translators: keep "by self write" and "to *" unchanged. These are
> # part of the slapd configuration and are not translatable.
> _Description: Access rules permit self-modification by users
>  One or more of the configured databases has an access control rule
>  that allows users to modify most of their own attributes. This may be
>  unsafe, depending on how the database is used.
>  .
>  It is recommended to remove "by self write" from access rules
>  beginning with "to *", so that users are only able to modify
>  specifically allowed attributes.
>  .
>  See /usr/share/doc/slapd/README.Debian.gz for more details.

Is anyone likely to misread "self-modification by users" as meaning
"getting my ears pierced", or is that the kind of thing that only
occurs to pedants?

I might suggest adding the word "slapd" or "slapd.conf" in the first
couple of lines, though there is a good clue at the end.

Non-native speakers can find "integrated" relative clauses ("rules
beginning with") hard to follow, so I would suggest saying "rules that
begin with" instead.  You might even rearrange it as

   In the case of slapd access rules that begin with "to *", it is
   recommended to remove any instances of "by self write", so that
   users are only able to modify specifically allowed attributes.

JBR	with qualifications in linguistics, experience as a Debian
	sysadmin, and probably no clue about this particular package

Reply to: