Bug 44314 – import logs passwords

Bug 44314 - import logs passwords


Summary:	import logs passwords

Status:	CLOSED FIXED

Product:	UCS@school
Classification:	Unclassified
Component:	Import scripts
Version:	UCS@school 4.2
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS@school 4.3 v5
Assigned To:	Daniel Tröder
QA Contact:	Jürn Brodersen

URL:
Keywords:

Duplicates:	47737 47738 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2017-04-06 18:25 CEST by Daniel Tröder
Modified:	2018-09-11 11:34 CEST (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Daniel Tröder

2018-08-15 17:17:01 CEST

[4.3] 826b69e37 Bug #44314: do not log passwords
[4.3] b331befd4 Bug #44314: advisory

ucs-school-lib (11.0.1-18)

Comment 2 Jürn Brodersen

2018-08-16 10:29:09 CEST

Please don't use the actual length of the password. If the password is not logged the length shouldn't be neither.

Comment 3 Daniel Tröder

2018-08-16 11:00:04 CEST

I was thinking, that in the ucs-school-import the length of passwords is preconfigured - so it's already known. But there is no win to log it, and especially not in a lib. I have hard coded the length to the infamous "8" :)

[4.3] d7e632ae2 Bug #44314: do not log password length
[4.3] 4cc2cee54 Bug #44314: changelog
[4.3] 85bfc8349 Bug #44314: advisory update

ucs-school-lib (11.0.1-19)

Comment 4 Jürn Brodersen

2018-08-17 12:24:31 CEST

OK
What I tested:
Imported students 
  -> info and log file don't include passwords anymore -> OK
  -> new_user_passwords.csv still includes the passwords -> OK

YAML -> OK

Comment 5 Sönke Schwardt-Krummrich

2018-09-04 13:25:50 CEST

90_ucsschool.216_import-users_delete_variants fails on UCS@school 4.3

(2018-09-03 19:47:00.433383) univention.testing.utils.LDAPObjectValueMissing: DN: uid=wh4qxnxz5c,cn=schueler,cn=users,ou=z4ul,dc=autotest206,dc=local
(2018-09-03 19:47:00.433406) sambaNTPassword: ['A41E19C4991D58F3B4FC5222BAEC18CB'], missing: 'C8BBD9FD170EDF045C1E3CA15018C276'
(2018-09-03 19:47:00.433428) sambaNTPassword: ['A41E19C4991D58F3B4FC5222BAEC18CB'], unexpected: 'A41E19C4991D58F3B4FC5222BAEC18CB'

The hash of the missing password always changes. But the unexpected hash A41E19C4991D58F3B4FC5222BAEC18CB is the same during each run.

A41E19C4991D58F3B4FC5222BAEC18CB == nthash('********')

it looks like the modification of this bug changes the input data and always sets '********' as password.
→ REOPEN

Comment 6 Sönke Schwardt-Krummrich

2018-09-04 14:17:12 CEST

*** Bug 47737 has been marked as a duplicate of this bug. ***

Comment 7 Sönke Schwardt-Krummrich

2018-09-04 14:25:40 CEST

*** Bug 47738 has been marked as a duplicate of this bug. ***

Comment 8 Daniel Tröder

2018-09-04 15:24:20 CEST

The log record contains the original logging calls arguments. When logging the original import input data, the password field was being modified.

[4.3] 0a9ad2640 Bug #44314: don't modify object being logged
[4.3] f4ad57d5d Bug #44314: add static type annotation
[4.3] 31fff70e0 Bug #44314: advisory update

ucs-school-lib (11.0.1-21)

Comment 9 Jürn Brodersen

2018-09-07 10:44:15 CEST

OK
What I tested:
Imported students 
  -> info and log file don't include passwords anymore -> OK
  -> new_user_passwords.csv still includes the passwords -> OK
  -> Login is possible with imported user -> OK :)

YAML -> OK

Comment 10 Sönke Schwardt-Krummrich

2018-09-11 11:34:16 CEST

UCS@school 4.3 v5 has been released.

https://docs.software-univention.de/changelog-ucsschool-4.3v5-de.html

If this error occurs again, please clone this bug.