Re: Please review text for security warning
Ryan Tandy wrote:
> Template: slapd/backend
> Type: select
> Choices: BDB, HDB, MDB
> Default: MDB
> _Description: Database backend to use:
> HDB and BDB use similar storage formats, but HDB adds support for
> subtree renames. Both support the same configuration options.
> .
> The MDB backend is recommended. MDB uses a new storage format and
> requires less configuration than BDB or HDB.
> .
> In any case, you should review the resulting database configuration for
> your needs. See /usr/share/doc/slapd/README.Debian.gz for more details.
Ah, changed recommendation. Yes, still makes sense.
> Template: slapd/unsafe_selfwrite_acl
> Type: note
> #flag:comment:3
> # Translators: keep "by self write" and "to *" unchanged. These are
> # part of the slapd configuration and are not translatable.
> _Description: Access rules permit self-modification by users
> One or more of the configured databases has an access control rule
> that allows users to modify most of their own attributes. This may be
> unsafe, depending on how the database is used.
> .
> It is recommended to remove "by self write" from access rules
> beginning with "to *", so that users are only able to modify
> specifically allowed attributes.
> .
> See /usr/share/doc/slapd/README.Debian.gz for more details.
Is anyone likely to misread "self-modification by users" as meaning
"getting my ears pierced", or is that the kind of thing that only
occurs to pedants?
I might suggest adding the word "slapd" or "slapd.conf" in the first
couple of lines, though there is a good clue at the end.
Non-native speakers can find "integrated" relative clauses ("rules
beginning with") hard to follow, so I would suggest saying "rules that
begin with" instead. You might even rearrange it as
In the case of slapd access rules that begin with "to *", it is
recommended to remove any instances of "by self write", so that
users are only able to modify specifically allowed attributes.
--
JBR with qualifications in linguistics, experience as a Debian
sysadmin, and probably no clue about this particular package
Reply to: