Steven Chamberlain a écrit, le 27/03/2012 01:54:
Hi, On 26/03/12 10:05, Petter Reinholdtsen wrote:The fix for gosa.conf is not upgradable, so we need to come up with a better idea.The fix won't work. Using quotes in gosa.conf is no good if the %userPassword substitution could contain double quotes.
yes the patch to gosa.conf I had first sent has to be reversed if GOsa is upgraded to escape userPassword (in functions.inc). With such an escaped %userPassword the variable can be sent to the gosa-sync script untampered, then the only thing to do is make sure gosa-sync handles it correctly : re-quote it to be used in kadmin, because kadmin only uses double quotes. Without that, it is possible, and fairly easy, for a user to exploit %userPassword to send any command to kadmin, run as root, which is a pretty big vulnerability at the moment. That's why I had send that patch to gosa-sync, which is the only thing to patch once GOsa's functions.inc is upgraded.
--- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25 09:28:32.000000000 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync 2012-03-26 15:34:13.000000000 +0200
@@ -28,9 +28,10 @@
$USERPASSWORD
EOF
IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
+EUSERPASSWORD=`cat $TMPFILE | sed -e 's/"/""/g'` # escapes " because kadmin need to use double quotes
if [ "$IAM" = "dn:$USERDN" ] ; then
cat > $TMPFILE <<EOF
-change_password -pw $USERPASSWORD $USERID
+change_password -pw "$EUSERPASSWORD" $USERID
EOF
cat $TMPFILE | kadmin.local 2>&1 | logger -t gosa-sync -p notice
logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.