[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#8080) nssov allows users to change anyone's password
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#8080) nssov allows users to change anyone's password
- From: ryan@nardis.ca
- Date: Mon, 16 Mar 2015 06:10:31 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Ryan Tandy
Version: 2.4
OS: Debian
URL:
Submission from: (NULL) (24.68.37.4)
If I write to the socket, un-base64ed:
AQAAACVOAAAGAAAAcnRhbmR5HAAAAHVpZD1ydGFuZHksZGM9ZXhhbXBsZSxkYz1jb20GAAAAcGFzc3dkAAAAAAQAAABhc2Rm
(pwmod action, uid 'rtandy', dn 'uid=rtandy,dc=example,dc=com', service
'passwd', opw '', npw 'asdf'90D
nssov will change rtandy's password, assuming ACLS permit userPassword mods by
self.
Furthermore, if I set nssov-pwdmgr-dn to 'cn=pwdmgr,dc=example,dc=com' and then
write to the socket, un-base64ed:
AQAAACVOAAAGAAAAcnRhbmR5GwAAAGNuPXB3ZG1ncixkYz1leGFtcGxlLGRjPWNvbQYAAABwYXNzd2QAAAAABAAAAGFzZGY=
(pwmod action, uid 'rtandy', dn 'cn=pwdmgr,dc=example,dc=com', service 'passwd',
opw '', npw 'asdf')
then rtandy's password will be changed using pwdmgr privileges. IMO only root
should be allowed to do this, not unprivileged users. (passwd(1) enforces the
same rule.)
I also noticed that pwmod always bails out if no pwdmgr dn is configured, even
if it shouldn't be needed (ie. user changing own password).
The following patches solve these problems by requiring the old password to be
supplied unless working as pwdmgr; by only allowing root to authc or pwmod as
pwdmgr (adapted from nss-pam-ldapd); and by silently skipping the pwdmgr check
if it's not configured.
ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-require-old-password-unless-pwdmgr.patch
ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-only-allow-root-to-become-pwdmgr.patch
ftp://ftp.openldap.org/incoming/20150315_rtandy_nssov-allow-user-pwmod-without-pwdmgr-configured.patch