Re: Handling of raw passwords, quoting, escaping
> But isn't this kinda redundant? It could be written so that the
> heredoc goes directly to kadmin.local instead of being output to
> file with 'cat' and then 'cat' back in?
Yes, it could be rewritten like that. I kept the temp file to make it
easier to debug.
> The call to ldapwhoami still needs to read the raw password from a
> file though, which is unfortunate.
Yeah. Would love to avoid it.
> Is there any specific reason to still not use quotes around things
> like $1, $USERDN, $USERID (or even $TMPFILE), as has now been done
> for $USERPASSWORD? I would think that if someone did (as www-data)
> something like:
Nope. Changed in svn.
> Hopefully the temporarily-stored passwords are held in
> /var/cache/debconf/passwords.dat, rather than remaining in
> world-readable /var/cache/debconf/config.dat-old after install? I
> haven't checked this.
Good point. Not quite sure when config.dat-old is updated. But the
relevant values are of debconf type password, so I believe their
content is always stored in passwords.dat without such extra copy.