Univention Bugzilla – Bug 20611
Joinskript-Passwort in Prozessliste sichtbar
Last modified: 2019-02-18 17:00:31 CET
Derzeit ist das an Joinskripte übergebene Passwort in der Prozessliste sichtbar. Hier sollte (ggf. in Verbindung mit Bug 20610) geprüft werden, wie dies verhindert werden kann.
*** Bug 22059 has been marked as a duplicate of this bug. ***
A program can (try to be fast to) hide the information in /proc/$$/cmdline by overwriting it, but this always leaves a short time where the information can be obtained. Therefore sensitive information cannot be passed securely via command line parameters. Additionally (ba)sh does not seem to offer the functionality of changing /proc/$$/cmdline. Thus other options for passing the password are required to remove this problem: One possibility is writing the information to a file and passing the path of the file via command line. Another possibility is passing the information via the /proc/$$/environ. Further possibilities are passing the information via file handles (stdin, pipe on fd 3) or sockets. Simplicity: environ tempfile pipe Security: pipe (can only accessed once) environ (can be accessed multiple times, by subprocesses if not unset) tempfile (can be accessed multiple times, by every process of that user)
(In reply to Janek Walkenhorst from comment #2) > Security: [...] > environ (can be accessed multiple times, by subprocesses if not unset) > tempfile (can be accessed multiple times, by every process of that user) Since joinscripts are usually called as user "root", all files of the whole system are "vulnerable". So a subprocess with root privileges may even read the environment of its parent process. Unsetting an environment variable does not update /proc/$$/environ. So in this case, I would consider "environ" even more unsafe than "tempfile", since files may be deleted before the subprocess is called.
(In reply to Sönke Schwardt-Krummrich from comment #3) > (In reply to Janek Walkenhorst from comment #2) > > Security: > [...] > > environ (can be accessed multiple times, by subprocesses if not unset) > > tempfile (can be accessed multiple times, by every process of that user) > > Since joinscripts are usually called as user "root", all files of the whole > system are "vulnerable". Different issue. > So a subprocess with root privileges may even read > the environment of its parent process. This is not limited to root - every process of a user can do everything with every other process running as the same user. > Unsetting an environment variable does not update /proc/$$/environ. It can be hidden the same way /proc/$$/cmdline can. Like with cmdline, Bash does not provide that functionality either. > So in this case, I would consider > "environ" even more unsafe than "tempfile", since files may be deleted > before the subprocess is called. (As discussed) "environ" may be a security problem when incorrectly starting processes via su, compared to "tempfile". (As discussed) "environ" is more probably more complicated to use than "tempfile".
Or we could fix it in general on the kernel level in procfs with hidepid=2: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0499680a42 This was introduced in 3.4 (but it's even available in 3.1-1 since it was backported in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669028)
(In reply to Moritz Muehlenhoff from comment #5) > Or we could fix it in general on the kernel level in procfs with hidepid=2: > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/ > ?id=0499680a42 > > This was introduced in 3.4 (but it's even available in 3.1-1 since it was > backported in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=669028) Nevertheless it would be visible in the top module.
I don't think this issue is a release blocker since the login as a normal user is not allowed.
Not for UCS 3.2.
This was again seen by a customer, as some join-scripts didn't terminate correctly and thus survived the join process. After that the user password of the user was visible to all other users.
A customer reported the issue again at Ticket #2016033121000153
This issue has been filed against UCS 2.4. UCS 2.4 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug". In this case please provide detailed information on how this issue is affecting you.
*** This bug has been marked as a duplicate of bug 46842 ***