Hi, the present ebuilds for net-nds/phpldapadmin install phpldapadmin/config/config.php owned by root:root and world-readable. This file can potentially contain sensitive information (secret for encrypting client-side cookies which store DN and password the application binds to the LDAP server with). File owned by root:apache with mode=640 is a much better default setup. Reproducible: Always
Not sure if the package was once stabilized when this report was filed, but net-nds/phpldapadmin is unstable and thus not supported by Gentoo Security. However, the issue was addressed by the maintainer: src_install() { webapp_src_preinst dodoc INSTALL # Restrict config file access - bug 280836 chown root:apache "config/config.php" chmod 640 "config/config.php" insinto "${MY_HTDOCSDIR}" doins -r * webapp_configfile "${MY_HTDOCSDIR}/config/config.php" webapp_postinst_txt en "${FILESDIR}"/postinstall2-en.txt webapp_src_install }