FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-04-2008, 07:18 AM
Cajus Pollmeier
 
Default How to deal with #402010?

Hi,

my position to this bug is written down in the bugtracker and I don't consider
this a bug. Any opinions about what to do with it? It would apply to
virtually any kind of web application accessing some kind of database/ldap
passwords somewhere in the filesystem.

This is a simulated problem - or maybe someone wants to implement built-in ACL
support for (at least) the 4 major LDAP servers?

Thanks,
Cajus


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-04-2008, 08:21 AM
Roland Mas
 
Default How to deal with #402010?

Cajus Pollmeier, 2008-04-04 09:18:37 +0200 :

> Hi,
>
> my position to this bug is written down in the bugtracker and I
> don't consider this a bug. Any opinions about what to do with it? It
> would apply to virtually any kind of web application accessing some
> kind of database/ldap passwords somewhere in the filesystem.

Depending on the web server, there may be a way around that problem.
The following works with Apache, at least, and I guess it can be
adapted to other servers as well.

The thing is to store the passwords or sensitive info in files that
are only readable by root, and have Apache read these files and export
the information selectively to some webapps and not others, by
wrapping the appropriate directives in VirtualHost (or similar)
blocks. Then it's a simple matter (ahem) of passing the info to the
webapp, and there are two ways to do that: with SetEnv (not ideal) or
with RequestHeader (probably better).

Roland.
--
Roland Mas

Et c'est tellement plus mignon de se faire traiter de con en chanson...
-- in En chantant (Michel Sardou)


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 
Old 04-04-2008, 09:50 AM
Holger Levsen
 
Default How to deal with #402010?

Hi,

On Friday 04 April 2008 09:18, Cajus Pollmeier wrote:
> to virtually any kind of web application accessing some kind of
> database/ldap passwords somewhere in the filesystem.

I dont consider a web application which is used to configure the LDAP database
and FAI configuration (to install and configure all machines in the network)
just like any other web application.

In this bug are several suggestions how to implement a way better mechanism to
deal with the password then the current one.

Also I unarchived this bug, because I think the least you can and should do is
to document this in the README.Debian. (This=dont allow public html dirs for
users and leave safe mode on.)


regards,
Holger

P.S.: regarding those four major ldap servers.. I think it would be a great
start if it would be more secure with one of them :-)
 

Thread Tools




All times are GMT. The time now is 05:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org