Univention Bugzilla – Bug 57453
AD connector cache files are world readable
Last modified: 2024-08-14 16:48:26 CEST
The adconnector creates cache files that contain mappings between DNs, entryUUID and objectGUIDs. These files are created by the ad connector and are world readable. This is actually checked by a diagnostic module, but in my opinion, these files should only be readable to root instead. The files don't contain direct secrets, passwords etc, though one could consider that a minor information leak. These rights are currently not explicitly set, they are just left as a default, which creates "interesting" cases where the cache files are just readable to root, depending on if one completes the setup via UMC or not, because it starts the connector via the /etc/init.d/ script and thus inherites its umask to the ad-connector service. (which is why we were even looking at that -> It's the reason this diagnostic check is failing for admember ( https://jenkins2022.knut.univention.de/view/Active/job/UCS-5.0/job/UCS-5.0-8/job/ADMemberMultiEnv/Version=w2k19-french/lastCompletedBuild/testReport/00_checks/81_diagnostic_checks/test_run_diagnostic_checks_31_file_permissions_/ )
a95990e4a4 Bug #57453: Yaml update 09fa03672a Bug #57453: Prevent SQLite databases from being world readable c6aeab78ca Bug #57453: Prevent SQLite databases from being world readable b57046e48b Bug #57453: Prevent SQLite databases from being world readable 1619ea90d3 Bug #57453: Added YAML files cf22465af6 Bug #57453: Prevent SQLite databases from being world readable The ad + s4connector now run with umask 027, which makes all files they create per default have filemode 640 usually. The script resync_from* remove_from* and so on have been adjusted to create the sqlite tables with filemode 640 too. After installation, the postinst has been adjusted to touch these sqlite tables and create them intially with the correct file permissions the diagnostic module has been adjusted to check for the files being in mode 640. The postinst has been adjusted to chmod these files accordingly during upgrade.
Code review: OK Connector Tests: OK YAML: OK
<https://errata.software-univention.de/#/?erratum=5.0x1096> <https://errata.software-univention.de/#/?erratum=5.0x1097> <https://errata.software-univention.de/#/?erratum=5.0x1098>