[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Small Report of Dev WE in France 18-19/03 ? Work on user administration tool

Thank you for you time to look into the code and you comments
to it. 

On Fri, Mar 24, 2006 at 06:33:22PM +0100, Morten Werner Olsen wrote:
> On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote:
> > The idea was to use the very good work made by Christian Kuelker
> > with CiPux.  Cipux is a whole of very powerful Perl scripts which
> > makes it possible to manage LDAP.
> I studied some of the CiPux-code a bit, and there are several security
> issues which must be fixed before we can using this in our
> Debian-Edu/Skolelinux distribution. I've found examples in the code
> where passwords are send to the command-line. One example in
> get_value.pl [1] where the LDAP-password is provided on the
> command-line to LDAP-commandline utilities.

This is a issue and its must be changed. It is serious on woddy, but
not that serious on sarge, because the password will not be shown up
in the processlist. We are working on that and there are some sugestions 
discussed in the german team to solve this. This should only be a matter 
of time. We can discuss this here also if this is desired in a different 

> In another file [2] passwords, crypts and some NT-passwordhashes are
> written directly in the logfile which is, in my eyes, far away from
> acceptable.

ok, there where no concerns to that from the german team so far, but 
its is no problem to cut that off. (the log was set to 700
accessible only for root)

> First of all I hope that the pepole that have implemented a solution
> based on CiPux have restricted the access to the CiPux logfile!

It should be done by installation, (debug) logging is off by default.

> Second, the problem with the passwords in commands called in perl is
> that a student can watch the processlist with e.g. 'ps ax' and be able
> to pick up passwords for users or machines.

Yes this is an issue which will gone away with the new RPC daemon, 
implemnted in France. Still under development, but will be finished
in April.

> If we can get the CiPux-framework free for these kind of bugs, we
> should start the process of packaging it and uploading it to Debian.

I agree on that. 

So please mail the things (bugs or feature requests). 

Where should this be listet? 

May be: http://www.skolelinux.de/wiki/CipUX/Requests

> Unfortunately I don't have any Moodle-knowledge, but do you know how
> hard/easy it will be to make a CiPux-plugin written for Moodle
> preconfigured for our Debian-Edu/Skolelinux distribution? At least you
> should make sure the students write the configuration part of the
> plugin with this in mind.

This should be addressed to the frensh CipUX Section ...

> > This work is a first result from the collaboration started between
> > the French and German team and of course everybody must feel free to
> > join this work even if he?s not French or German ;)
> I believe that working together across the country borders is how we
> all will have a better product to offer our "customers", and I hope
> that many will contribute so we'll have a nicer utility for user
> administration tool ready this summer when Debian starts the freeze
> for etch. I hope that my comments about CiPux are taken seriously as I
> believe the problems commented are very serious in a security point of
> view.

I enjoy the international working together to imporve our product to
the needs of customers, school admins and (!) endusers in the spirit 
of Erkelenz.

And I think, I speak for the frensh section to, that we will do our
best to make this possible as soon as possible. 


Reply to: