Bug 46842 - admin credentials are printed as plaintext in process list
admin credentials are printed as plaintext in process list
Product: UCS
Classification: Unclassified
Component: Join (univention-join)
UCS 4.3
Other Linux
: P5 normal (vote)
: UCS 4.3-0-errata
Assigned To: Felix Botner
Arvid Requate
Depends on:
Blocks: 46969 46968
  Show dependency treegraph
Reported: 2018-04-17 14:51 CEST by Nico Stöckigt
Modified: 2018-05-23 14:27 CEST (History)
2 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 2: Improvement: Would be a product improvement
Who will be affected by this bug?: 5: Will affect all installed domains
How will those affected feel about the bug?: 4: A User would return the product
User Pain: 0.229
Enterprise Customer affected?:
School Customer affected?: Yes
ISV affected?:
Waiting Support:
Ticket number: 2018041721000353
Bug group (optional):
Max CVSS v3 score:

qa-feedback.patch (4.76 KB, patch)
2018-05-15 16:59 CEST, Arvid Requate
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Nico Stöckigt univentionstaff 2018-04-17 14:51:15 CEST
While joining the Administrator password is entered hidden but then it is shown as plaintext in process list

root@ucs-slave:~# ps aux | grep listene
root       778  0.0  0.0   4096   704 ?        Ss   Apr16   0:00 runsv univention-directory-listener
root     20880  0.0  0.0   4492  1764 pts/0    S+   11:09   0:00 /bin/sh /usr/lib/univention-install/03univention-directory-listener.inst --binddn uid=Administrator,cn=users,dc=domain,dc=tld --bindpwd ADMINPWD
listener 20904  2.2  0.9 2279084 77460 pts/0   S+   11:09   0:30 /usr/sbin/univention-directory-listener -i -d 2 -h ucs-master.domain.tld -b dc=domain,dc=tld -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -o -ZZ -x -D cn=ucs-slave,cn=domaincontroller_slave,cn=computers,dc=domain,dc=tld -y /etc/machine.secret
root     22347  0.0  0.0  12660  1704 pts/1    S+   11:32   0:00 grep listene

By this the password also is saved as plaintext to '/var/log/univention/system-stats.log'.

For security reasons it's better to crop the password from the output.
Comment 1 Felix Botner univentionstaff 2018-05-07 13:45:05 CEST
univention-join 8041f894f6c9fc086c54a3d48b7c86e2c376bf3a

added "api" for join script arguments, join scripts now can have different key words to influence the parameters with which univention-join/univention-run-joins-scripts calls the join script

 -> "^## joinscript api: bindpwdfile$" gets called with binddn and bindpwdfile
 -> "^## joinscript api: nocredentials$" gets called without arguments
 -> "^## joinscript api: credentialfiles$" gets called withou argumenst

univention-join/univentionrun-joins-scripts now always creates /var/univention-join/binddn and /var/univention-join/bindpwd during the run of the joinscripts (maybe we cann get rid of the credential parameters some time)
Comment 2 Felix Botner univentionstaff 2018-05-07 15:56:21 CEST
further changes

univention-heimdal - 5ce78ea77a45f1c9cce5a3cd3cb1eb51103dd97c
 * nocredentials in join script
 * bindpwdfile support in salt_krb5Keys

univention-directory-manager-modules - c888bb6a44a39c541bdc8fbeaa4890d9aec61dfb
 * bindpwdfile support in join script
 * bindpwdfile support in univention-dnsedit

univention-appcenter - 0873e93e7314d1289bfc08476fa70c1522f65302
 * bindpwdfile support in join script

univention-saml - b8d286633b9e56152b3b01cd7a9aa421ac5e8d23
 * bindpwdfile support in join script

that's it for now, better not too many packages with this bug ...

If the concept and the changes are OK, we better wait for the release of the packages before we move on.

I have created bug #46968 for packages that currently use the bindpwd directly and bug #46969 for package where we can (at least from what i can see) simply switch to bindpwdfile.
Comment 3 Arvid Requate univentionstaff 2018-05-15 16:59:04 CEST
Created attachment 9531 [details]

Some proposals.
Comment 4 Felix Botner univentionstaff 2018-05-15 17:33:47 CEST
(In reply to Arvid Requate from comment #3)
> Created attachment 9531 [details]
> qa-feedback.patch
> Some proposals.

ok, merged
Comment 5 Arvid Requate univentionstaff 2018-05-16 13:57:50 CEST
Ok works, code review ok, advisories look good too.
Comment 6 Felix Botner univentionstaff 2018-05-23 14:04:42 CEST
univention-appcenter -> Bug #47051
Comment 7 Felix Botner univentionstaff 2018-05-23 14:07:27 CEST
univention-directory-manager-modules -> Bug #47052