View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0004257 | SOGo | sogo-tool | public | 2017-08-22 06:56 | 2022-01-26 19:05 |
Reporter | zhb | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | have not tried |
Status | closed | Resolution | no change required | ||
Summary | 0004257: Security concern? Backup file generated with 'sogo-tool backup' contains full LDIF data of user | ||||
Description | We store mail accounts in OpenLDAP, why does SOGo backup file contains full LDIF data of user? especially attribute "userPassword". I suppose only uid (full email address) should be enough. because we have LDAP query filter defined in sogo.conf, SOGo can always get the LDAP dn and full LDIF data with the ldap query filter and login username, there's no need to store full LDIF at all. It becomes a security concern if sysadmin didn’t realize the backup file contains (hashed) password and didn’t set proper owner/group and file permission. | ||||
Tags | No tags attached. | ||||
What we're talking about in backup file: |
|
Dear developers, Any update? |
|
userPassword was removed a long time ago. |
|
Reopen if necessary. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2017-08-22 06:56 | zhb | New Issue | |
2017-08-22 06:59 | zhb | Note Added: 0012203 | |
2021-10-08 03:05 | zhb | Note Added: 0015535 | |
2021-10-08 08:00 | Christian Mack | Note Added: 0015537 | |
2022-01-26 19:04 | francis | Note Edited: 0012203 | |
2022-01-26 19:05 | francis | Status | new => closed |
2022-01-26 19:05 | francis | Resolution | open => no change required |
2022-01-26 19:05 | francis | Note Added: 0015820 |