Security problem with slapd/slurpd?

To: debian-security@lists.debian.org
Subject: Security problem with slapd/slurpd?
From: Massimiliano Mirra <list@chromatic-harp.com>
Date: Wed, 16 Oct 2002 11:08:11 +0200
Message-id: <[🔎] 20021016090811.GA17872@newton.rcost.unisannio.it>

When slapd (LDAP server daemon) is configured to replicate itself to
another server, on each addition/modification to the directory it will
store the changes to be replicated in /var/lib/ldap/replog.  This
directory is world readable and entries like userPassword will be
visible (although on sensible setups they will already be hashed to
MD5 or SHA).  slurpd will then pick the changes up, push them to the
slave directory, and store them in
/var/spool/slurpd/replica/slurpd.replog, which is a complete log of
changes applied by slurpd and is world readable as well.

Am I missing something or should a bug be filed?

Massimiliano

Reply to:

Follow-Ups:
- Re: Security problem with slapd/slurpd?
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: Security problem with slapd/slurpd?
  - From: Matt Zimmerman <mdz@debian.org>

Prev by Date: Re: Security on an old machine
Next by Date: Strange access.log entries
Previous by thread: Unidentified subject!
Next by thread: Re: Security problem with slapd/slurpd?
Index(es):
- Date
- Thread