Date: Tue, 19 Oct 2004 10:20:45 GMT From: Pawel Wielebap <wielebap@iem.pw.edu.pl> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/72867: [PATCH] unsecure smbldap-passwd from net/smbldap-tools when changin LDAP password Message-ID: <200410191020.i9JAKjct028412@www.freebsd.org> Resent-Message-ID: <200410191030.i9JAULAP035650@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 72867 >Category: ports >Synopsis: [PATCH] unsecure smbldap-passwd from net/smbldap-tools when changin LDAP password >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Oct 19 10:30:20 GMT 2004 >Closed-Date: >Last-Modified: >Originator: Pawel Wielebap >Release: FreeBSD 6.0 >Organization: >Environment: FreeBSD volt.iem.pw.edu.pl 6.0-CURRENT FreeBSD 6.0-CURRENT #0: >Description: A problem and the solution is described in the article: www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-tools_doc.pdf I also enclosed there 2 specific script modifications which can do as main passwd programme, and can be run in setuid mode. Description: - Script smbldap-passwd cannot be run with perl -T (taint) option turned on. - If slappasswd is not available userPassword field is still modified with the empty password!!! and samba password is still modified with the entered password. - Script smbldap-passwd requires slappasswd to generate password and this is not configurable. Slappasswd is an external programme so it is rather not as secure as using perl libraries. >How-To-Repeat: Rename /usr/local/sbin/slappasswd and run smbldap-passwd. An empty password will be applied. Use tainted password like: 'pass; rm -R ~;' >Fix: A modified port can be downloaded from: www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-tools.taz I have rebuild the structure of smbldap-passwd script. This script can be downloaded from: www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap-passwd I don't place the code here because it is very long, so please download it from my web. You have to apply a patch to /usr/local/etc/smbldap-tools/smbldap.conf It can be downloaded from: www.iem.pw.edu.pl/~wielebap/ldap/smbldap-tools/smbldap.conf.diff-freebsd The patch: % cat smbldap.conf.diff-freebsd --- smbldap.conf.orig Tue Oct 19 11:41:37 2004 +++ smbldap.conf Tue Oct 19 11:42:43 2004 @@ -106,7 +106,7 @@ # Default scope Used scope="sub" -# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) +# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT) hash_encrypt="SSHA" # if hash_encrypt is set to CRYPT, you may set a salt format. @@ -189,4 +189,10 @@ # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but # prefer Crypt::SmbHash library with_smbpasswd="0" -smbpasswd="/usr/bin/smbpasswd" +smbpasswd="/usr/local/bin/smbpasswd" + +# Allows not tu use slappasswd (if without_slappasswd == 1 in smbldap_conf.pm) +# but prefer Crypt:: libraries +without_slappasswd="0" +slappasswd="/usr/local/sbin/slappasswd" + >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200410191020.i9JAKjct028412>