Bug 37489 – Kerberos PW readable in join.log

Bug 37489 - Kerberos PW readable in join.log


Summary:	Kerberos PW readable in join.log

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	Join (univention-join)
Version:	UCS 4.0
Hardware:	All Linux

Importance:	P4 normal (vote)
Target Milestone:	UCS 4.0-1-errata
Assigned To:	Philipp Hahn
QA Contact:	Florian Best

URL:
Keywords:

Depends on:	8817
Blocks:
	Show dependency tree / graph

Reported:	2015-01-08 17:05 CET by Janek Walkenhorst
Modified:	2015-03-25 16:34 CET (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
patch? (1007 bytes, patch) 2015-02-24 16:19 CET, Florian Best	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Janek Walkenhorst

2015-01-08 17:05:41 CET

The kerberos password is stored in univention/join.log during join with univention-join.

  ldap_dn="cn=ucs-9267,cn=dc,cn=computers,dc=organisation,dc=intranet"
  KerberosPasswd="tLrRpMEy7y8OQXW97oDN" 

+++ This bug was initially created as a clone of Bug #8817 +++

Im join.log steht das Kerberospasswort im Klartext:
KerberosPasswd="o4dGtyX9"

Comment 1 Florian Best

2015-02-24 16:19:21 CET

Created attachment 6716 [details]
patch?

univention-server-join writes it into  a logfile. The problem is that univention.join parses the logfile to get the password.
Maybe better would be to directly create a file like /tmp/kerberos.secret or something?

The patch just strips it when writing into the join.log logfile.

Comment 2 Philipp Hahn

2015-03-13 15:10:53 CET

r58956 | Bug #37489 Join: Copyright 2015
r58955 | Bug #37489 Join: filter out password from log file

Package: univention-join
Version: 7.1.2-14.500.201503131454
Branch: ucs_4.0-0
Scope: errata4.0-1

r58959 | Bug #37489 Join: filter out password from log file YAML
 2015-03-13-univention-join.yaml

Comment 3 Florian Best

2015-03-16 11:31:19 CET

Please check the YAML entries, there is a wrong bug number.

Comment 4 Philipp Hahn

2015-03-16 12:07:44 CET

(In reply to Florian Best from comment #3)
> Please check the YAML entries, there is a wrong bug number.

r59049 | Bug #37489 Join: filter out password from log file YAML

Comment 5 Florian Best

2015-03-16 15:47:31 CET

OK: Password not anymore in logfile
OK: secret file removed at the end of join process
OK: YAML

Comment 6 Janek Walkenhorst

2015-03-25 16:34:40 CET

<http://errata.univention.de/ucs/4.0/123.html>