Univention Bugzilla – Bug 31996
Don't pass command credentials via "$@"
Last modified: 2021-06-23 07:29:13 CEST
Currently all join scripts use "$@" to pass the binddn and bindpwd credentials to the UCS tools. Some of them also convert the parameter from the LDAP binddn back to the user name. Maybe it would be better if univention-join writes the binddn, the username and the bindpwd to temporary files which can be read by root only and writes the filenames to environment variables. All tools can than read and use the files. univention-join should remove the files at the end of the join.
See Bug #24758 for an unsafe use in /usr/share/univention-lib/umc.sh
Is this idea still relevant? At least it wasn't considered when migrating to bindpwdfile-API.
This issue has been filed against UCS 4.2. UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed. If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
We really should stop passing credentials via command line, which is trivial to exploit and can result into a complete security breach.
Created attachment 10656 [details] patch (git:fbest/31996-remove-bindpwd-joinscript-call) Patch, which removes the possibility to pass --bindpwd=$plaintextpassword.
Developer reference should be checked as well. A release note entry should be added.
univention-join (12.0.3-5) 6f30fbfcc4d8 | Bug #31996: remove support for --bindpwd credential passing release-notes-5.0-0-en.xml release-notes-5.0-0-de.xml changelog-5.0-0.xml 84649b296d28 | Bug #31996: remove support for --bindpwd credential passing
UCS 5.0 has been released: https://docs.software-univention.de/release-notes-5.0-0-en.html https://docs.software-univention.de/release-notes-5.0-0-de.html If this error occurs again, please use "Clone This Bug".