Univention Bugzilla – Bug 56333
univention-backup2master calls ldapmodify with ldap.secret visible in process list
Last modified: 2023-11-06 15:19:41 CET
univention-backup2master calls ldapmodify with ldap.secret visible in process list: management/univention-ldap/univention-backup2master: ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$temp_file" management/univention-ldap/univention-backup2master:ldapmodify -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -f "$temp_file" management/univention-ldap/univention-backup2master:ldapdelete -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "krb5PrincipalName=ldap/${old_ldap_master}@${kerberos_realm},cn=kerberos,${ldap_base}" management/univention-ldap/test/listner-notifier-test: ldapmodrdn -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" "$dn" "$rdn=Object$string1" management/univention-ldap/test/listner-notifier-test: ldapmodrdn -x -D "cn=admin,$ldap_base" -w "$(cat /etc/ldap.secret)" -r "$rdn=Object$string1,cn=$cn,$ldap_base" "$rdn=Objectxxx$string2" → instead "-y /etc/ldap.secret" should be used.
backup2master now uses -y "$password_file". univention-ldap.yaml e9e4a4871fcd | fix(backup2master): do not leak password in process list univention-ldap (16.0.13-5) e9e4a4871fcd | fix(backup2master): do not leak password in process list
Verified: * Code review * Package update * Advisory
<https://errata.software-univention.de/#/?erratum=5.0x863>