Bug 113408 - Client cert file must be world readable
Client cert file must be world readable
Product: Fedora
Classification: Fedora
Component: nss_ldap (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
: Security
Depends On:
  Show dependency treegraph
Reported: 2004-01-13 12:08 EST by Petr Krištof
Modified: 2008-08-02 19:40 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-10-25 16:38:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Petr Krištof 2004-01-13 12:08:46 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.1)

Description of problem:
To run nss/pam against ldap server what verify clients,
the tls_cert and tls_key must be set in /etc/ldap.conf.

These files must be readable by all to proper nss working.

This breaks security, everyone can stole keys and reuse them.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Enable ldap auth again ldap server, what does client verification
2. Set up tls_cert and tls_key to cert files.
3. Set file permissions on cert file to 400
4. As non-root user do 'll' inside directory, where some files are
owned by user stored in ldap backend  

Actual Results:  You will got 'Broken pipe' error

Expected Results:  When you change cert file permission to 444,
everything works fine.

Additional info:

Setting cert file permissions to 444 breaks security and keys can be
stolen to compromise you.
Comment 1 Matthew Miller 2006-07-11 13:31:50 EDT
Fedora Core 1 is maintained by the Fedora Legacy project for security updates
only. If this problem is a security issue, please reopen and reassign to the
Fedora Legacy product. If it is not a security issue and hasn't been resolved in
the current FC5 updates or in the FC6 test release, reopen and change the
version to match.


NOTE: Fedora Core 1 is reaching the final end of support even by the Legacy
project. After Fedora Core 6 Test 2 is released (currently scheduled for July
26th), there will be no more security updates for FC1. Please use these next two
weeks to upgrade any remaining FC1 systems to a current release.

Comment 2 John Thacker 2006-10-25 16:38:27 EDT
Closing per lack of response.  Also note that FC1 and FC2 are no longer
supported even by Fedora Legacy.  If this still occurs on FC3 or FC4, please
assign to that version and Fedora Legacy.  If it still occurs on FC5 or FC6,
please reopen and assign to the correct version.

Note You need to log in before you can comment on or make changes to this bug.