[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#665696: marked as done (gosa-sync breaks on passwords containing spaces)

Your message dated Mon, 15 Jul 2013 12:32:57 +0200
with message-id <201307151233.00544.holger@layer-acht.org>
and subject line done
has caused the Debian Bug report #665696,
regarding gosa-sync breaks on passwords containing spaces
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

665696: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=665696
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
package: debian-edu-config
severity: important
version: squeeze/r0

spaces need adequate quoting of the password variable in both gosa-sync and gosa.conf.

It is also very likely a security hazard in letting the user-supplied password string unquoted in those two files, whence severity=important.

following patch just adds the quoting, and was verified to fix the issue.

Samuel Krempp
--- /etc/gosa/gosa.conf.befSK   2012-03-25 09:45:33.000000000 +0200
+++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.000000000 +0200
@@ -44,7 +44,7 @@
       <plugin acl="users/phoneAccount:self" class="phoneAccount"/>
       <plugin acl="users/nagiosAccount:self" class="nagiosAccount"/>
       <plugin acl="users/scalixAccount:self" class="scalixAccount"/>
-      <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=%userPassword /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>
+      <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=&quot;%userPassword&quot; /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/>

     <!-- Section to enable administrative services -->
--- /usr/share/debian-edu-config/tools/gosa-sync.orig   2012-03-25 09:28:32.000000000 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync        2012-03-25 09:56:04.000000000 +0200
@@ -15,7 +15,6 @@
 ## principal's one.

 USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"`

@@ -30,7 +29,7 @@
 IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
 if [ "$IAM" = "dn:$USERDN" ] ; then
     cat > $TMPFILE <<EOF
-change_password -pw $USERPASSWORD $USERID
+change_password -pw "$USERPASSWORD" $USERID
     cat $TMPFILE  | kadmin.local 2>&1 | logger -t gosa-sync -p notice
     logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.

--- End Message ---
--- Begin Message ---
version: 1.454

done since a long time...

Attachment: signature.asc
Description: This is a digitally signed message part.

--- End Message ---

Reply to: