Bug#665696: gosa-sync breaks on passwords containing spaces
package: debian-edu-config
severity: important
version: squeeze/r0
spaces need adequate quoting of the password variable in both gosa-sync
and gosa.conf.
It is also very likely a security hazard in letting the user-supplied
password string unquoted in those two files, whence severity=important.
following patch just adds the quoting, and was verified to fix the issue.
--
Samuel Krempp
--- /etc/gosa/gosa.conf.befSK 2012-03-25 09:45:33.000000000 +0200
+++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.000000000 +0200
@@ -44,7 +44,7 @@
<plugin acl="users/phoneAccount:self" class="phoneAccount"/>
<plugin acl="users/nagiosAccount:self" class="nagiosAccount"/>
<plugin acl="users/scalixAccount:self" class="scalixAccount"/>
- <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=%userPassword /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+ <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD="%userPassword" /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
</section>
<!-- Section to enable administrative services -->
--- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25 09:28:32.000000000 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync 2012-03-25 09:56:04.000000000 +0200
@@ -15,7 +15,6 @@
## principal's one.
RETVAL=0
-
USERDN=$1
USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"`
@@ -30,7 +29,7 @@
IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
if [ "$IAM" = "dn:$USERDN" ] ; then
cat > $TMPFILE <<EOF
-change_password -pw $USERPASSWORD $USERID
+change_password -pw "$USERPASSWORD" $USERID
EOF
cat $TMPFILE | kadmin.local 2>&1 | logger -t gosa-sync -p notice
logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.
Reply to: