Bug#711693: debconf-set-selection: leave clear text password entries behind in templates.dat

To: submit@bugs.debian.org
Subject: Bug#711693: debconf-set-selection: leave clear text password entries behind in templates.dat
From: Petter Reinholdtsen <pere@hungry.com>
Date: Sat, 08 Jun 2013 21:17:07 +0200
Message-id: <[🔎] 2flobbgmmz0.fsf@diskless.uio.no>
Reply-to: Petter Reinholdtsen <pere@hungry.com>, 711693@bugs.debian.org

Package:  debconf-utils
Version:  1.5.49
Severity: important
Tags:     patch
User:     debian-edu@lists.debian.org
Usertags: debian-edu

We recently discovered a problem with the Wheezy version of Debian Edu
we are working on.  The clear text password of root and the first user
would show up in /var/cache/debconf/templates.dat and
/var/cache/debconf/templates.dat-old, even if we had code in our
installation hooks to remove the passwords from debconf once they had
been used to set up Kerberos and LDAP.

I traced it down to our use of debconf-set-selections to pass the
passwords into the debconf database in /target/, and the code that look
like this:

sub load_answer {
	my ($owner, $label, $type, $content) = @_;
	
	info "Loading answer for '$label'";

	my $template=Debconf::Template->get($label);
	if (! $template) {
		$template=Debconf::Template->new($label, $owner, $type);
		$template->description("Dummy template");
		$template->extended_description("This is a fake template used to pre-seed the debconf database. If you are seeing this, something is probably wrong.");
	}
	else {
		$template->default($content);
	}
[...]
	$question->value($content);
[...]
}

When using debconf-set-selectoins to set a password in a template that
is already loaded, the $template->default() code path is used, and this
in turn cause a 'Default: clear-text-password' to show up in
templates.dat.    The clear-text-password string is also added as a
value that show up in passwords.dat.  When we clear the password later
in the installation using

  db_set debian-edu-config/kdc-password ""

this only clear the value in passwords.dat, but not the one in
templates.dat - causing the clear text password to be available after
installation.  This is a security problem.

I am unable to understand why the default value is updated by
debconf-set-selections, but believe it is a bad idea to do so for
templates with the password type.  Because of this, I propose the
following patch:

Index: debconf-set-selections
===================================================================
--- debconf-set-selections      (revisjon 77643)
+++ debconf-set-selections      (arbeidskopi)
@@ -51,7 +51,9 @@
                $template->extended_description("This is a fake template used to pre-seed the debconf database. If you are seeing this, something is probably wrong.");
        }
        else {
-               $template->default($content);
+               if ("password" ne $type) {
+                     $template->default($content);
+               }
        }
        $template->type($type);
 
This fixed the problem for Debian Edu.  Luckily we already had our own
version of debconf-set-selection, so we could fix the problem on our
end, but I believe the problem should be fixed for everyone using
debconf-set-selections to store passwords. :)

-- 
Happy hacking
Petter Reinholdtsen

Reply to:

Prev by Date: Re: Mass import - Real fix, I think
Next by Date: Re: Mass import - Real fix, I think
Previous by thread: debian-edu-config_1.706~svn80395_i386.changes ACCEPTED
Next by thread: Bug#693236: GOsa² fails to set passwords starting with dash ("-") or double dash ("--").
Index(es):
- Date
- Thread