Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BDII Services insecure/unecessary exposed due to elevated capabilities/roles #65

Open
thdesy opened this issue Jul 22, 2024 · 1 comment
Open

BDII Services insecure/unecessary exposed due to elevated capabilities/roles #65

thdesy opened this issue Jul 22, 2024 · 1 comment

Comments

@thdesy
Copy link

thdesy commented Jul 22, 2024

Short Description of the issue

bdii.srvice, bdii-slapd.service are uneccessarily exposed and potentially insecure due to elevated roles & permissions required, i.e., requirering as root with runuser requiring all system capabilities

Environment

  • RedHat 9
  • 5.14.0-427.20.1.el9_4.x86_64
  • bdii-6.0.3-1.el9.noarch

Description

The bdii and bdii-slapd services have to be run under root, no service set up on a constraint user is possible, e.g.,

> cat /etc/systemd/system/bdii.service.d/01-user.conf
[Service]
User=ldap
Group=ldap

also no dropping of capabilities is possible, e.g.

> cat /etc/systemd/system/bdii.service.d/02-capsconf
[Service]
#CapabilityBoundingSet=CAP_KILL CAP_CHOWN                                                                                                                                                                                                                  
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE

Presumed cause

The default service seems to reuse a SysV run script, that relies on runuser to drop from root to the ldap user.

> cat /usr/lib/systemd/system/bdii.service
[Unit]
Description=Berkeley Database Information Index
Documentation=man:bdii-update(1)
After=bdii-slapd.service
Requires=bdii-slapd.service
BindsTo=bdii-slapd.service

[Service]
Type=forking
PIDFile=/run/bdii/bdii-update.pid
EnvironmentFile=-/etc/sysconfig/bdii
ExecStart=/bin/sh -c ' \
  BDII_CONF=$${BDII_CONF:-/etc/bdii/bdii.conf} ; \
  [ -r "$${BDII_CONF}" ] && . "$${BDII_CONF}" ; \
  BDII_USER=$${BDII_USER:-ldap} ; \
  BDII_UPDATE=$${BDII_UPDATE:-/usr/sbin/bdii-update} ; \
  export SLAPD_CONF=$${SLAPD_CONF:-/etc/bdii/bdii-slapd.conf} ; \
  /sbin/runuser -s /bin/sh $${BDII_USER} -c "$${BDII_UPDATE} -c $${BDII_CONF} -d ; sleep 2" \
'

[Install]
WantedBy=multi-user.target
@gwarf
Copy link
Member

gwarf commented Jul 29, 2024

Dear @thdesy, thanks for the report!
If you are willing to, or if you already made some local tests and changes, we would welcome a PR regarding this issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gwarf @thdesy