Gosa risking passwords being logged by sudo (Was: Is LWAT completely broken in Squeeze?)

To: debian-edu@lists.debian.org
Subject: Gosa risking passwords being logged by sudo (Was: Is LWAT completely broken in Squeeze?)
From: Petter Reinholdtsen <pere@hungry.com>
Date: Tue, 24 Aug 2010 08:24:26 +0200
Message-id: <[🔎] 20100824062426.GE28089@login1.uio.no>
In-reply-to: <[🔎] 4C7361AC.7070201@bzz.no>
References: <20100719192727.GB6444@login2.uio.no> <[🔎] 4C5698E5.9020307@bzz.no> <[🔎] 201008131312.07622.holger@layer-acht.org> <[🔎] 4C72A512.40206@bzz.no> <[🔎] 20100824002622.GA4862@siddhartha.sunshine> <[🔎] 4C7361AC.7070201@bzz.no>

[Finn-Arne Johansen]
> Well, I had a lot of lines in the log with usernames/passwords when
> creating users. Maybe it was because I had added a user in
> /etc/sudoers ?

The fix for this is to change gosa and the hooks to pass the passwords
in the environment or using stdin, to make sure the password is not
visible in the process list nor logged by sudo.

Happy hacking,
-- 
Petter Reinholdtsen

Reply to:

References:
- Re: Is LWAT completely broken in Squeeze?
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: Is LWAT completely broken in Squeeze?
  - From: Holger Levsen <holger@layer-acht.org>
- Re: Is LWAT completely broken in Squeeze?
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: Is LWAT completely broken in Squeeze?
  - From: "Andreas B. Mundt" <andi.mundt@web.de>
- Re: Is LWAT completely broken in Squeeze?
  - From: Finn-Arne Johansen <faj@bzz.no>

Prev by Date: Re: Is LWAT completely broken in Squeeze?
Next by Date: shutdown-at-night
Previous by thread: Re: Is LWAT completely broken in Squeeze?
Next by thread: debian-edu-config_1.443~svn67678_i386.changes ACCEPTED
Index(es):
- Date
- Thread