Bug 31996

Summary: Don't pass command credentials via "$@"
Product: UCS Reporter: Stefan Gohmann <gohmann>
Component: Join (univention-join)Assignee: Florian Best <best>
Status: CLOSED FIXED QA Contact: Arvid Requate <requate>
Severity: normal    
Priority: P5 CC: best, gulden, hahn, requate, steuwer
Version: UCS 5.0   
Target Milestone: UCS 5.0   
Hardware: Other   
OS: Linux   
See Also: https://forge.univention.org/bugzilla/show_bug.cgi?id=20611
https://forge.univention.org/bugzilla/show_bug.cgi?id=20610
What kind of report is it?: Security Issue What type of bug is this?: ---
Who will be affected by this bug?: --- How will those affected feel about the bug?: ---
User Pain: Enterprise Customer affected?:
School Customer affected?: ISV affected?:
Waiting Support: Flags outvoted (downgraded) after PO Review:
Ticket number: Bug group (optional): Security
Max CVSS v3 score: 7.3 (CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)
Bug Depends on:    
Bug Blocks: 53100, 53101    
Attachments: patch (git:fbest/31996-remove-bindpwd-joinscript-call)

Description Stefan Gohmann univentionstaff 2013-07-17 12:12:55 CEST 
Currently all join scripts use "$@" to pass the binddn and bindpwd credentials to the UCS tools. Some of them also convert the parameter from the LDAP binddn  back to the user name.

Maybe it would be better if univention-join writes the binddn, the username and the bindpwd to temporary files which can be read by root only and writes the filenames to environment variables. All tools can than read and use the files.

univention-join should remove the files at the end of the join.
Comment 1 Philipp Hahn univentionstaff 2013-07-17 18:08:11 CEST 
See Bug #24758 for an unsafe use in /usr/share/univention-lib/umc.sh
Comment 2 Florian Best univentionstaff 2019-03-13 14:14:13 CET 
Is this idea still relevant?
At least it wasn't considered when migrating to bindpwdfile-API.
Comment 3 Ingo Steuwer univentionstaff 2020-07-03 20:53:42 CEST 
This issue has been filed against UCS 4.2.

UCS 4.2 is out of maintenance and many UCS components have changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen it and update the UCS version. In this case please provide detailed information on how this issue is affecting you.
Comment 4 Philipp Hahn univentionstaff 2020-07-04 13:22:46 CEST 
We really should stop passing credentials via command line, which is trivial to exploit and can result into a complete security breach.
Comment 14 Florian Best univentionstaff 2021-03-18 19:20:26 CET 
Created attachment 10656 [details]
patch (git:fbest/31996-remove-bindpwd-joinscript-call)

Patch, which removes the possibility to pass --bindpwd=$plaintextpassword.
Comment 16 Florian Best univentionstaff 2021-04-14 11:52:24 CEST 
Developer reference should be checked as well. A release note entry should be added.
Comment 17 Florian Best univentionstaff 2021-04-14 19:26:39 CEST 
univention-join (12.0.3-5)
6f30fbfcc4d8 | Bug #31996: remove support for --bindpwd credential passing

release-notes-5.0-0-en.xml
release-notes-5.0-0-de.xml
changelog-5.0-0.xml
84649b296d28 | Bug #31996: remove support for --bindpwd credential passing
Comment 18 Florian Best univentionstaff 2021-05-25 16:01:20 CEST 
UCS 5.0 has been released:
 https://docs.software-univention.de/release-notes-5.0-0-en.html
 https://docs.software-univention.de/release-notes-5.0-0-de.html

If this error occurs again, please use "Clone This Bug".