Re: Small Report of Dev WE in France 18-19/03 ? Work on user administration tool
On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote:
> In Erkelenz a group of developers wanted to work on a user
> administration tool. This group is formed by: Christian Kuelker,
> Benjamin Sonntag, Thomas Courbeil, Xavier Oswald, Jean Charles
> Siegel ? Sorry if I forgot somebody.
Great to hear!
> The idea was to use the very good work made by Christian Kuelker
> with CiPux. Cipux is a whole of very powerful Perl scripts which
> makes it possible to manage LDAP.
I studied some of the CiPux-code a bit, and there are several security
issues which must be fixed before we can using this in our
Debian-Edu/Skolelinux distribution. I've found examples in the code
where passwords are send to the command-line. One example in
get_value.pl  where the LDAP-password is provided on the
command-line to LDAP-commandline utilities.
In another file  passwords, crypts and some NT-passwordhashes are
written directly in the logfile which is, in my eyes, far away from
First of all I hope that the pepole that have implemented a solution
based on CiPux have restricted the access to the CiPux logfile!
Second, the problem with the passwords in commands called in perl is
that a student can watch the processlist with e.g. 'ps ax' and be able
to pick up passwords for users or machines.
If we can get the CiPux-framework free for these kind of bugs, we
should start the process of packaging it and uploading it to Debian.
> The proposition is to add an interface for CiPux in the Intranet
> made by the French team with Moodle. The solution adopted in
> Erkelenz is to create a RPC engine which controls CiPux and which
> can interact with various interfaces:
> ? modules moodle
> ? CAT' in PHP
> ? Somethink in java
> ? PAS
> ? ...
> If you want to see the work made on the Intranet, you can have a
> look at http://moodle.skolelinux.fr/
> We can announce that the RPC engine is running. The source code of
> this work can be found in the fr branch in the moodle ? ldap
> At the beginning of the next month, two students will start to write
> the interface for Moodle. We hope that this work will be ready for
> the Dev Camp.
Unfortunately I don't have any Moodle-knowledge, but do you know how
hard/easy it will be to make a CiPux-plugin written for Moodle
preconfigured for our Debian-Edu/Skolelinux distribution? At least you
should make sure the students write the configuration part of the
plugin with this in mind.
> This work is a first result from the collaboration started between
> the French and German team and of course everybody must feel free to
> join this work even if he?s not French or German ;)
I believe that working together across the country borders is how we
all will have a better product to offer our "customers", and I hope
that many will contribute so we'll have a nicer utility for user
administration tool ready this summer when Debian starts the freeze
for etch. I hope that my comments about CiPux are taken seriously as I
believe the problems commented are very serious in a security point of