CiPux security (was: Re: Small Report of Dev WE in France 18-19/03 ? Work on user administration tool)
Am Montag, den 3 April hub Christian Kuelker folgendes in die Tasten:
> On Fri, Mar 24, 2006 at 06:33:22PM +0100, Morten Werner Olsen wrote:
> > On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote:
> > > The idea was to use the very good work made by Christian Kuelker
> > > with CiPux. Cipux is a whole of very powerful Perl scripts which
> > > makes it possible to manage LDAP.
> > I studied some of the CiPux-code a bit, and there are several security
> > issues which must be fixed before we can using this in our
> > Debian-Edu/Skolelinux distribution. I've found examples in the code
> > where passwords are send to the command-line. One example in
> > get_value.pl  where the LDAP-password is provided on the
> > command-line to LDAP-commandline utilities.
> This is a issue and its must be changed. It is serious on woddy, but
> not that serious on sarge, because the password will not be shown up
> in the processlist. We are working on that and there are some sugestions
> discussed in the german team to solve this. This should only be a matter
> of time. We can discuss this here also if this is desired in a different
If you write in perl, why not use the perl LDAP API?
No system call, no entry in the process list, no password to be read.
> > In another file  passwords, crypts and some NT-passwordhashes are
> > written directly in the logfile which is, in my eyes, far away from
> > acceptable.
> ok, there where no concerns to that from the german team so far, but
> its is no problem to cut that off. (the log was set to 700
> accessible only for root)
Don't log passwords.
*If* you *really* want to do so, define another special option for exactly
that task, e.g. $password_debug and set it to "false" in default and
write a big warning around it.
> > First of all I hope that the pepole that have implemented a solution
> > based on CiPux have restricted the access to the CiPux logfile!
> It should be done by installation, (debug) logging is off by default.
> > Second, the problem with the passwords in commands called in perl is
> > that a student can watch the processlist with e.g. 'ps ax' and be able
> > to pick up passwords for users or machines.
> Yes this is an issue which will gone away with the new RPC daemon,
> implemnted in France. Still under development, but will be finished
> in April.
Again: Net::LDAP is a IMO nice working API to access LDAP from Perl
without any execs.
> > If we can get the CiPux-framework free for these kind of bugs, we
> > should start the process of packaging it and uploading it to Debian.
> I agree on that.
> So please mail the things (bugs or feature requests).
> Where should this be listet?
> May be: http://www.skolelinux.de/wiki/CipUX/Requests
May the source be with you.