117936 – net-ftp/pure-ftpd - pureftpd-ldap.conf is 644

Bug 117936 - net-ftp/pure-ftpd - pureftpd-ldap.conf is 644

Summary: net-ftp/pure-ftpd - pureftpd-ldap.conf is 644

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Luca Longinotti (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2006-01-05 13:53 UTC by Bel Zébute
Modified:	2006-09-23 16:16 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
fix permissions (pure-ftpd-fix_config_perms-1.0.20-r2.ebuild.patch,293 bytes, patch) 2006-03-21 20:01 UTC, Fernando Ribeiro	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bel Zébute 2006-01-05 13:53:22 UTC

An inexperimented admin (like me) could put in that file the password to bind to the ldap server.  With 644, the password would then be readable by any user on the system.

Suggestion:

chmod 600 /etc/openldap/pureftpd-ldap.conf

Should be done while file is in the image folder.

Comment 1 Fernando Ribeiro 2006-03-21 20:01:58 UTC

Created attachment 82831 [details, diff]
fix permissions

http://download.pureftpd.org/pub/pure-ftpd/doc/README.LDAP


  ------------------------ LDAP CONFIGURATION FILE ------------------------
  
  
Before running the server, you have to create a configuration file. Why a
configuration file instead of simple command-line options? you may ask.
Because for security reasons, you may want to hide how to connect to your
LDAP server. And as command-line options can be discovered by local users
(with 'ps auxwww' for instance), it's more secure to use a configuration
file for sensitive data. Keep the file only readable by root (chmod 600) .

Comment 2 Luca Longinotti (RETIRED) gentoo-dev

2006-09-23 16:16:44 UTC

Fixed in 1.0.21-r1.
Best regards, CHTEKK.