Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 280836

Summary: <net-nds/phpldapadmin-1.2.3: too loose permissions on config.php
Product: Gentoo Security Reporter: Alexander Bezrukov <phmagic>
Component: Default ConfigsAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: vostorga, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Alexander Bezrukov 2009-08-08 23:15:31 UTC 
Hi,

the present ebuilds for net-nds/phpldapadmin install phpldapadmin/config/config.php owned by root:root and world-readable. This file can potentially contain sensitive information (secret for encrypting client-side cookies which store DN and password the application binds to the LDAP server with).

File owned by root:apache with mode=640 is a much better default setup.

Reproducible: Always
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 04:16:58 UTC 
Not sure if the package was once stabilized when this report was filed, but net-nds/phpldapadmin is unstable and thus not supported by Gentoo Security.

However, the issue was addressed by the maintainer:

src_install() {
    webapp_src_preinst

    dodoc INSTALL

    # Restrict config file access - bug 280836
    chown root:apache "config/config.php"
    chmod 640 "config/config.php"

    insinto "${MY_HTDOCSDIR}"
    doins -r *

    webapp_configfile "${MY_HTDOCSDIR}/config/config.php"
    webapp_postinst_txt en "${FILESDIR}"/postinstall2-en.txt

    webapp_src_install
}