[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#8328) Information leak in slapo-auditlog

Full_Name: Moritz M.hlenhoff
Version: 2.4.40
OS: Debian
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I setup a test system which made use of the slapo-auditlog overlay using these
config options:

moduleload auditlog
overlay auditlog
auditlog /var/lib/ldap/slapd-audit.log

The /var/lib/ldap/slapd-audit.log was created with world-readable permissions,
which constitutes a security issue since that file also logs sensitive
attributes which are otherwise protected by ACLs (such as password hashes).

Proposed patch:

diff -aur openldap-2.4.40+dfsg.orig/servers/slapd/overlays/auditlog.c
--- openldap-2.4.40+dfsg.orig/servers/slapd/overlays/auditlog.c 2014-09-19
01:48:49.000000000 +0000
+++ openldap-2.4.40+dfsg/servers/slapd/overlays/auditlog.c      2015-12-02
11:08:24.331146770 +0000
@@ -121,6 121,7 @@
        peername = op->o_conn->c_peer_name;
+       umask(027);
        if((f = fopen(ad->ad_logfile, "a")) == NULL) {
                return SLAP_CB_CONTINUE;