ports/72867: [PATCH] unsecure smbldap-passwd from net/smbldap-tools when changin LDAP password
Pawel Wielebap
wielebap at iem.pw.edu.pl
Tue Oct 19 10:30:21 UTC 2004
>Number: 72867
>Category: ports
>Synopsis: [PATCH] unsecure smbldap-passwd from net/smbldap-tools when changin LDAP password
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Oct 19 10:30:20 GMT 2004
>Closed-Date:
>Last-Modified:
>Originator: Pawel Wielebap
>Release: FreeBSD 6.0
>Organization:
>Environment:
FreeBSD volt.iem.pw.edu.pl 6.0-CURRENT FreeBSD 6.0-CURRENT #0:
>Description:
A problem and the solution is described in the article:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-tools_doc.pdf
I also enclosed there 2 specific script modifications which can do as main passwd programme, and can be run in setuid mode.
Description:
- Script smbldap-passwd cannot be run with perl -T (taint) option turned on.
- If slappasswd is not available userPassword field is still modified with the empty password!!! and samba password is still modified with the entered password.
- Script smbldap-passwd requires slappasswd to generate password and this is not configurable. Slappasswd is an external programme so it is rather not as secure as using perl libraries.
>How-To-Repeat:
Rename /usr/local/sbin/slappasswd and run smbldap-passwd. An empty password will be applied.
Use tainted password like: 'pass; rm -R ~;'
>Fix:
A modified port can be downloaded from:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-tools.taz
I have rebuild the structure of smbldap-passwd script.
This script can be downloaded from:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-passwd
I don't place the code here because it is very long, so please download it from my web.
You have to apply a patch to /usr/local/etc/smbldap-tools/smbldap.conf
It can be downloaded from:
www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap.conf.diff-freebsd
The patch:
% cat smbldap.conf.diff-freebsd
--- smbldap.conf.orig Tue Oct 19 11:41:37 2004
+++ smbldap.conf Tue Oct 19 11:42:43 2004
@@ -106,7 +106,7 @@
# Default scope Used
scope="sub"
-# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
+# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
@@ -189,4 +189,10 @@
# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="0"
-smbpasswd="/usr/bin/smbpasswd"
+smbpasswd="/usr/local/bin/smbpasswd"
+
+# Allows not tu use slappasswd (if without_slappasswd == 1 in smbldap_conf.pm)
+# but prefer Crypt:: libraries
+without_slappasswd="0"
+slappasswd="/usr/local/sbin/slappasswd"
+
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list