Bug 57453 – AD connector cache files are world readable

Bug 57453 - AD connector cache files are world readable


Summary:	AD connector cache files are world readable

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	UMC - AD Connector
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 5.0-8-errata
Assigned To:	Julia Bremer
QA Contact:	Dirk Wiesenthal

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-07-16 22:14 CEST by Julia Bremer
Modified:	2024-08-14 16:48 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):	Security
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julia Bremer

2024-07-16 22:14:52 CEST

The adconnector creates cache files that contain mappings between DNs, entryUUID and objectGUIDs.
These files are created by the ad connector and are world readable.
This is actually checked by a diagnostic module, but in my opinion, these files should only be readable to root instead.
The files don't contain direct secrets, passwords etc, though one could consider that a minor information leak.  

These rights are currently not explicitly set, they are just left as a default,
which creates "interesting" cases where the cache files are just readable to root, depending on if one completes the setup via UMC or not, because it starts the connector via the /etc/init.d/ script and thus inherites its umask to the ad-connector service.

(which is why we were even looking at that -> It's the reason this diagnostic check is failing for admember ( https://jenkins2022.knut.univention.de/view/Active/job/UCS-5.0/job/UCS-5.0-8/job/ADMemberMultiEnv/Version=w2k19-french/lastCompletedBuild/testReport/00_checks/81_diagnostic_checks/test_run_diagnostic_checks_31_file_permissions_/ )

Comment 1 Julia Bremer

2024-07-29 09:10:51 CEST

a95990e4a4 Bug #57453: Yaml update
09fa03672a Bug #57453: Prevent SQLite databases from being world readable
c6aeab78ca Bug #57453: Prevent SQLite databases from being world readable
b57046e48b Bug #57453: Prevent SQLite databases from being world readable
1619ea90d3 Bug #57453: Added YAML files
cf22465af6 Bug #57453: Prevent SQLite databases from being world readable


The ad + s4connector now run with umask 027, which makes all files they create per default have filemode 640 usually.
The script resync_from* remove_from* and so on have been adjusted to create the sqlite tables with filemode 640 too.
After installation, the postinst has been adjusted to touch these sqlite tables and create them intially with the correct file permissions
the diagnostic module has been adjusted to check for the files being in mode 640.
The postinst has been adjusted to chmod these files accordingly during upgrade.

Comment 2 Dirk Wiesenthal

2024-08-13 09:37:17 CEST

Code review: OK
Connector Tests: OK
YAML: OK

Comment 3 Arvid Requate

2024-08-14 16:48:26 CEST

<https://errata.software-univention.de/#/?erratum=5.0x1096>
<https://errata.software-univention.de/#/?erratum=5.0x1097>
<https://errata.software-univention.de/#/?erratum=5.0x1098>