passwords handling (was Re: troubles with Gosa)

[Samuel Krempp <Krempp@crans.ens-cachan.fr>]

Petter Reinholdtsen a écrit, le 24/03/2012 23:52:
> The GOsa->Kerberos sync script is from debian-edu-config, see
> /usr/share/debian-edu-config/tools/gosa-sync.

thanks, I noticed $USERPASSWD was not quoted in this file, and neither 
in /etc/gosa/gosa.conf, and this very likely allows users to run 
exploits through their password string (on top of breaking passwords 
containing spaces).
I sent a bug-report with patch to bugs.debian.org as advised in the 
documentation.

I wonder if quotes could also be used to run exploits through the password ?

> For the first user, there is also
> /usr/share/debian-edu-config/tools/kerberos-kdc-init and
> /usr/bin/ldap-debian-edu-install.

didn't have time to check those ones, and is less important as it is not 
run by students.

regards,
-- Samuel Krempp