280836 – <net-nds/phpldapadmin-1.2.3: too loose permissions on config.php

Bug 280836 - <net-nds/phpldapadmin-1.2.3: too loose permissions on config.php

Summary: <net-nds/phpldapadmin-1.2.3: too loose permissions on config.php

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Default Configs (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2009-08-08 23:15 UTC by Alexander Bezrukov
Modified:	2016-07-02 04:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bezrukov 2009-08-08 23:15:31 UTC

Hi,

the present ebuilds for net-nds/phpldapadmin install phpldapadmin/config/config.php owned by root:root and world-readable. This file can potentially contain sensitive information (secret for encrypting client-side cookies which store DN and password the application binds to the LDAP server with).

File owned by root:apache with mode=640 is a much better default setup.

Reproducible: Always

Comment 1 Aaron Bauman (RETIRED) gentoo-dev

2016-07-02 04:16:58 UTC

Not sure if the package was once stabilized when this report was filed, but net-nds/phpldapadmin is unstable and thus not supported by Gentoo Security.

However, the issue was addressed by the maintainer:

src_install() {
    webapp_src_preinst

    dodoc INSTALL

    # Restrict config file access - bug 280836
    chown root:apache "config/config.php"
    chmod 640 "config/config.php"

    insinto "${MY_HTDOCSDIR}"
    doins -r *

    webapp_configfile "${MY_HTDOCSDIR}/config/config.php"
    webapp_postinst_txt en "${FILESDIR}"/postinstall2-en.txt

    webapp_src_install
}