[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Small Report of Dev WE in France 18-19/03 ? Work on user administration tool

On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote:

> In Erkelenz a group of developers wanted to work on a user
> administration tool.  This group is formed by: Christian Kuelker,
> Benjamin Sonntag, Thomas Courbeil, Xavier Oswald, Jean Charles
> Siegel ? Sorry if I forgot somebody.

Great to hear!

> The idea was to use the very good work made by Christian Kuelker
> with CiPux.  Cipux is a whole of very powerful Perl scripts which
> makes it possible to manage LDAP.

I studied some of the CiPux-code a bit, and there are several security
issues which must be fixed before we can using this in our
Debian-Edu/Skolelinux distribution. I've found examples in the code
where passwords are send to the command-line. One example in
get_value.pl [1] where the LDAP-password is provided on the
command-line to LDAP-commandline utilities.

In another file [2] passwords, crypts and some NT-passwordhashes are
written directly in the logfile which is, in my eyes, far away from

First of all I hope that the pepole that have implemented a solution
based on CiPux have restricted the access to the CiPux logfile!
Second, the problem with the passwords in commands called in perl is
that a student can watch the processlist with e.g. 'ps ax' and be able
to pick up passwords for users or machines.

If we can get the CiPux-framework free for these kind of bugs, we
should start the process of packaging it and uploading it to Debian.

> The proposition is to add an interface for CiPux in the Intranet
> made by the French team with Moodle. The solution adopted in
> Erkelenz is to create a RPC engine which controls CiPux and which
> can interact with various interfaces:
> ? modules moodle
> ? CAT' in PHP
> ? Somethink in java
> ? PAS
> ? ...
> If you want to see the work made on the Intranet, you can have a
> look at http://moodle.skolelinux.fr/
> We can announce that the RPC engine is running. The source code of
> this work can be found in the fr branch in the moodle ? ldap
> package.
> At the beginning of the next month, two students will start to write
> the interface for Moodle. We hope that this work will be ready for
> the Dev Camp.

Unfortunately I don't have any Moodle-knowledge, but do you know how
hard/easy it will be to make a CiPux-plugin written for Moodle
preconfigured for our Debian-Edu/Skolelinux distribution? At least you
should make sure the students write the configuration part of the
plugin with this in mind.

> This work is a first result from the collaboration started between
> the French and German team and of course everybody must feel free to
> join this work even if he?s not French or German ;)

I believe that working together across the country borders is how we
all will have a better product to offer our "customers", and I hope
that many will contribute so we'll have a nicer utility for user
administration tool ready this summer when Debian starts the freeze
for etch. I hope that my comments about CiPux are taken seriously as I
believe the problems commented are very serious in a security point of

- Werner

[1] http://cvs.cipworx.org/cvsweb.cgi/cipux/cibot/src/bin/get_value.pl?rev=1.2
[2] http://cvs.cipworx.org/cvsweb.cgi/cipux/cibot/src/bin/add.pl?rev=1.5

Reply to: