On Sat, Sep 08, 2012 at 04:21:10PM +0200, Arthur de Jong wrote: > On Fri, 2012-09-07 at 22:53 +0200, Philipp Kern wrote: > > > (1) extra checking of overflows of numeric values retrieved from LDAP > > > This change was developed and tested by Redhat and has been in > > > upstream releases 0.7.16 and 0.8.4 (and is also present in the > > > version currently in testing). > > > The diff in 0.7.16 which should apply without issues to 0.7.15: > > > http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1600&view=revision > > > svn diff -c 1600 http://arthurdejong.org/svn/nss-pam-ldapd > > > > What's the consequence if we don't include this? I.e. what does this solve > > exactly? > > It fixes the range checking code that is in place for checking numeric > results from LDAP. For example it should now correctly reject negative > values and some other out of range values instead of silently converting > them to some other value. > > This change also includes proper length checking for the uid attribute > (e.g. when the LDAP server would contain a value that would not fit in > uid_t). ACK. > > > (4) increase buffer size for pam_authz_search and ensure log message > > > isn't cut short (this is Ubuntu bug #951343) > > > These changes were in 0.7.16 and 0.8.7. > > > The diffs: > > > http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1629&view=revision > > > http://arthurdejong.org/viewvc/nss-pam-ldapd?revision=1648&view=revision > > > svn diff -c 1629 http://arthurdejong.org/svn/nss-pam-ldapd > > > > That seems gratious and is IMHO not suitable. > > Actually, this is the better part of the fix for this problem IMO. > > The problem was that only the first part of the string was logged. If > the search was very long it would log: > pam_authz_search "very log string that will eventually be cut off.... > The increase in buffer size ensures that the cut-off is later but some > syslog implementations have also been known to have a limited length for > log messages. > > This change also ensures that the core of the message (that the filter > is invalid) is at the front of the log message. > > The only downside I see from this is that if you have log filtering > rules that pick up on this they will have to be changed. However, this > error message should only appear if you make specific configuration > errors in /etc/nslcd.conf. My focus was indeed on the gratious string change, which would be logged on every query AFAICS, instead of once when the configuration file is read. But I guess the new string makes sense and it's an error condition which should be induced purely by the configuration file and not external input. Hence you can go ahead and prepare a debdiff for the final ACK. Thanks and sorry for the long waiting period Philipp Kern
Attachment:
signature.asc
Description: Digital signature