[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

CiPux security (was: Re: Small Report of Dev WE in France 18-19/03 ? Work on user administration tool)

Am Montag, den  3 April hub Christian Kuelker folgendes in die Tasten:


> On Fri, Mar 24, 2006 at 06:33:22PM +0100, Morten Werner Olsen wrote:
> > On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote:
> > > The idea was to use the very good work made by Christian Kuelker
> > > with CiPux.  Cipux is a whole of very powerful Perl scripts which
> > > makes it possible to manage LDAP.

> > I studied some of the CiPux-code a bit, and there are several security
> > issues which must be fixed before we can using this in our
> > Debian-Edu/Skolelinux distribution. I've found examples in the code
> > where passwords are send to the command-line. One example in
> > get_value.pl [1] where the LDAP-password is provided on the
> > command-line to LDAP-commandline utilities.

> This is a issue and its must be changed. It is serious on woddy, but
> not that serious on sarge, because the password will not be shown up
> in the processlist. We are working on that and there are some sugestions 
> discussed in the german team to solve this. This should only be a matter 
> of time. We can discuss this here also if this is desired in a different 
> tread. 

If you write in perl, why not use the perl LDAP API?
No system call, no entry in the process list, no password to be read.

> > In another file [2] passwords, crypts and some NT-passwordhashes are
> > written directly in the logfile which is, in my eyes, far away from
> > acceptable.

> ok, there where no concerns to that from the german team so far, but 
> its is no problem to cut that off. (the log was set to 700
> accessible only for root)

Don't log passwords.
*If* you *really* want to do so, define another special option for exactly
that task, e.g. $password_debug and set it to "false" in default and
write a big warning around it.

> > First of all I hope that the pepole that have implemented a solution
> > based on CiPux have restricted the access to the CiPux logfile!

> It should be done by installation, (debug) logging is off by default.

> > Second, the problem with the passwords in commands called in perl is
> > that a student can watch the processlist with e.g. 'ps ax' and be able
> > to pick up passwords for users or machines.

> Yes this is an issue which will gone away with the new RPC daemon, 
> implemnted in France. Still under development, but will be finished
> in April.

Again: Net::LDAP is a IMO nice working API to access LDAP from Perl
without any execs.

> > If we can get the CiPux-framework free for these kind of bugs, we
> > should start the process of packaging it and uploading it to Debian.

> I agree on that. 

> So please mail the things (bugs or feature requests). 

> Where should this be listet? 

> May be: http://www.skolelinux.de/wiki/CipUX/Requests


	May the source be with you.

Reply to: