[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Handling of raw passwords, quoting, escaping

Hi,

On 26/03/12 21:38, Petter Reinholdtsen wrote:
>> * gosa-sync uses the raw passwords as processes arguments, which on a
>> multi-user system means others (users or services) to read them via
>> /proc or utilities like 'top', 'ps' or 'w'
> 
> gosa-sync is carefully constructed to never use the password as
> process argument.  It is only available in the environment passed from
> GOSA, a inline text string and in a temp file.

Ah, I see in r75805 you did make efforts to prevent that before the
Squeeze release, so it is not so serious.  I misread this:

> change_password -pw "$USERPASSWORD" $USERID 

thinking that was a shell command, but I see it is being used as part of
a heredoc:

> 32 	cat > $TMPFILE <<EOF
> 33 	change_password -pw "$USERPASSWORD" $USERID
> 34 	EOF
> 35 	
> 36 	# Grep away change_password -pw call to make sure syslog to not
> 37 	# get a copy of the new password.
> 38 	cat $TMPFILE | kadmin.local 2>&1 | grep -v "change_password -pw" | logger -t gosa-sync -p notice

But isn't this kinda redundant?  It could be written so that the heredoc
goes directly to kadmin.local instead of being output to file with 'cat'
and then 'cat' back in?

The call to ldapwhoami still needs to read the raw password from a file
though, which is unfortunate.

Because I'm really, really paranoid, I don't think raw passwords should
be even written to tempfile/disk, and anything using them should use
memlockall() to avoid them being swapped out to disk.


Is there any specific reason to still not use quotes around things like
$1, $USERDN, $USERID (or even $TMPFILE), as has now been done for
$USERPASSWORD?  I would think that if someone did (as www-data)
something like:

$ USERPASSWORD="correctpw" sudo gosa-sync "uid=; foo,"

they could maybe inject extra commands/parameters to ldapwhoami or
kadmin.local?


And what is this...

revision 77106 by pere, Tue Mar 20 19:00:25 2012 UTC:
> Change gosa-sync to not syslog the new passoword string when
> changing password in GOsa².

Wow, really? :/  I didn't know about this.

If that has happened, patching gosa-sync is too late to help anyone
whose raw passwords are now saved into syslog for many weeks (but
hopefully readably only by root user or adm group).

But, if someone was importing raw passwords from a CSV file, their
passwords are probably no more exposed than they already were...


> The clear text passwords are removed from debconf at the end of the
> installation...

Okay.  Well, that's much better than I thought, but not perfect.

Hopefully the temporarily-stored passwords are held in
/var/cache/debconf/passwords.dat, rather than remaining in
world-readable /var/cache/debconf/config.dat-old after install?  I
haven't checked this.

Regards,
-- 
Steven Chamberlain
steven@pyro.eu.org
Reply to: