Re: Small Report of Dev WE in France 18-19/03 - Work on user administration tool
Hi,
nice to see you in Extremadura, even if we had noch much time to talk.
Morten Werner Olsen wrote:
On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote:
I was asked to reply to this mail. So I thought I did it already but, ...
So every bug you mentioned is fixed several month ago, but I was asked
in Extremadura if this is fixed, so I write it here again.
I studied some of the CiPux-code a bit, and there are several security
issues which must be fixed before we can using this in our
Debian-Edu/Skolelinux distribution. I've found examples in the code
where passwords are send to the command-line. One example in
get_value.pl [1] where the LDAP-password is provided on the
command-line to LDAP-commandline utilities.
The LDAP command line is "fixed" on version 3.2.9
The LDAP command takes now -y and a file where the password is stored.
The file owns by root:root are mode 400
It was not viewable before in Sage and is not viewabel in Sarge/Edge/...
now. But it was viewable in woddy, which was not a target plattform for
CipUX. And its reduces questions about it.
In another file [2] passwords, crypts and some NT-passwordhashes are
written directly in the logfile which is, in my eyes, far away from
acceptable.
Sorry the fuction log() is the debuglog function. I should rename it.
The (debug) logfile dir /var/log/cipux is (and always was) owned by
root:root, mode 750. The password hashes was only printetd, if the debug
option was true, which is false by default.
And if you switch on the debug option in production environment you
realy need a big harddisk.
But now: if even the debug option is true, no password hashes are printetd.
First of all I hope that the pepole that have implemented a solution
based on CiPux have restricted the access to the CiPux logfile!
Yes of course (this was always the case)
You can check the permissons with cipux_maint_diagnostic
[3]
Second, the problem with the passwords in commands called in perl is
that a student can watch the processlist with e.g. 'ps ax' and be able
to pick up passwords for users or machines.
This was overseen as we made the transition to tjener als Terminalserver.
This is fixed with 3.2.9
Passwords are not used on commandline any more.
If we can get the CiPux-framework free for these kind of bugs, we
should start the process of packaging it and uploading it to Debian.
ok. I think Xavier has time next week, so we can start that process
during the summer.
Unfortunately I don't have any Moodle-knowledge, but do you know how
hard/easy it will be to make a CiPux-plugin written for Moodle
preconfigured for our Debian-Edu/Skolelinux distribution? At least you
should make sure the students write the configuration part of the
plugin with this in mind.
Developing Moodle Plugin is under way as everybody knows.
I believe that working together across the country borders is how we
all will have a better product to offer our "customers", and I hope
that many will contribute so we'll have a nicer utility for user
administration tool ready this summer when Debian starts the freeze
for etch. I hope that my comments about CiPux are taken seriously as I
believe the problems commented are very serious in a security point of
view.
Yes of course, scurity is serious.
So I encurage everybody to post security issues on CipUX and every other
Debian-Edu software freely on this list. This will help us to compete
with proprietary software.
Yours
Christian
This are obsolete:
[1] http://cvs.cipworx.org/cvsweb.cgi/cipux/cibot/src/bin/get_value.pl?rev=1.2
[2] http://cvs.cipworx.org/cvsweb.cgi/cipux/cibot/src/bin/add.pl?rev=1.5
The new code is on Alioth:
http://svn.debian.org/wsvn/cipux/trunk/
[1]
http://svn.debian.org/wsvn/cipux/trunk/cibot/src/bin/get_value.pl?op=file&rev=0&sc=0
[2]
http://svn.debian.org/wsvn/cipux/trunk/cibot/src/bin/add.pl?op=file&rev=0&sc=0
[3]
http://svn.debian.org/wsvn/cipux/trunk/cibot/src/bin/maint_diagnostic.pl?op=file&rev=0&sc=0
Reply to: