Red Hat Bugzilla – Bug 113408
Client cert file must be world readable
Last modified: 2008-08-02 19:40:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)
Description of problem:
To run nss/pam against ldap server what verify clients,
the tls_cert and tls_key must be set in /etc/ldap.conf.
These files must be readable by all to proper nss working.
This breaks security, everyone can stole keys and reuse them.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable ldap auth again ldap server, what does client verification
2. Set up tls_cert and tls_key to cert files.
3. Set file permissions on cert file to 400
4. As non-root user do 'll' inside directory, where some files are
owned by user stored in ldap backend
Actual Results: You will got 'Broken pipe' error
Expected Results: When you change cert file permission to 444,
everything works fine.
Setting cert file permissions to 444 breaks security and keys can be
stolen to compromise you.
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.
NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.
Closing per lack of response. Also note that FC1 and FC2 are no longer
supported even by Fedora Legacy. If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy. If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.