Handling of raw passwords, quoting, escaping
Hi,
There are some serious issues in the way passwords are handled by Debian
Edu in a few places.
As a result, there have already been issues resulting from:
* lack of quoting in shell scripts (#665696 gosa-sync)
* debconf was improperly handling a literal '#' in values (#636219)
* improper escaping by GOsa in PHP exec() calls (gosa upstream #1026)
* improper input sanitisation by GOsa; seemingly not performing
stripslashes() on a user-supplied value, as evidenced at:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665696#32
And I worry there may be other issues, including:
* gosa-sync uses the raw passwords as processes arguments, which on a
multi-user system means others (users or services) to read them via
/proc or utilities like 'top', 'ps' or 'w'
* would reportbug accidentally disclose the raw passwords from debconf?
* hashing of the root user's password in /etc/shadow is ineffective if
the raw password can be obtained from debconf.
I'm of the opinion that passwords should be hashed as soon practical
after they are input. But then kadmin or GOsa would have to allow
setting/changing a password by hash... somehow...
Otherwise, the password must be safely sent to kadmin, then discarded
without ever being stored in raw form.
Regards,
--
Steven Chamberlain
steven@pyro.eu.org
Reply to: