Univention Bugzilla – Bug 46842
admin credentials are printed as plaintext in process list
Last modified: 2022-02-21 14:31:06 CET
While joining the Administrator password is entered hidden but then it is shown as plaintext in process list ------------------------------------------------------------ root@ucs-slave:~# ps aux | grep listene root 778 0.0 0.0 4096 704 ? Ss Apr16 0:00 runsv univention-directory-listener root 20880 0.0 0.0 4492 1764 pts/0 S+ 11:09 0:00 /bin/sh /usr/lib/univention-install/03univention-directory-listener.inst --binddn uid=Administrator,cn=users,dc=domain,dc=tld --bindpwd ADMINPWD listener 20904 2.2 0.9 2279084 77460 pts/0 S+ 11:09 0:30 /usr/sbin/univention-directory-listener -i -d 2 -h ucs-master.domain.tld -b dc=domain,dc=tld -m /usr/lib/univention-directory-listener/system -c /var/lib/univention-directory-listener -o -ZZ -x -D cn=ucs-slave,cn=domaincontroller_slave,cn=computers,dc=domain,dc=tld -y /etc/machine.secret root 22347 0.0 0.0 12660 1704 pts/1 S+ 11:32 0:00 grep listene ------------------------------------------------------------ By this the password also is saved as plaintext to '/var/log/univention/system-stats.log'. For security reasons it's better to crop the password from the output.
univention-join 8041f894f6c9fc086c54a3d48b7c86e2c376bf3a added "api" for join script arguments, join scripts now can have different key words to influence the parameters with which univention-join/univention-run-joins-scripts calls the join script -> "^## joinscript api: bindpwdfile$" gets called with binddn and bindpwdfile -> "^## joinscript api: nocredentials$" gets called without arguments -> "^## joinscript api: credentialfiles$" gets called withou argumenst univention-join/univentionrun-joins-scripts now always creates /var/univention-join/binddn and /var/univention-join/bindpwd during the run of the joinscripts (maybe we cann get rid of the credential parameters some time)
further changes univention-heimdal - 5ce78ea77a45f1c9cce5a3cd3cb1eb51103dd97c * nocredentials in join script * bindpwdfile support in salt_krb5Keys univention-directory-manager-modules - c888bb6a44a39c541bdc8fbeaa4890d9aec61dfb * bindpwdfile support in join script * bindpwdfile support in univention-dnsedit univention-appcenter - 0873e93e7314d1289bfc08476fa70c1522f65302 * bindpwdfile support in join script univention-saml - b8d286633b9e56152b3b01cd7a9aa421ac5e8d23 * bindpwdfile support in join script that's it for now, better not too many packages with this bug ... If the concept and the changes are OK, we better wait for the release of the packages before we move on. I have created bug #46968 for packages that currently use the bindpwd directly and bug #46969 for package where we can (at least from what i can see) simply switch to bindpwdfile.
Created attachment 9531 [details] qa-feedback.patch Some proposals.
(In reply to Arvid Requate from comment #3) > Created attachment 9531 [details] > qa-feedback.patch > > Some proposals. ok, merged
Ok works, code review ok, advisories look good too.
univention-appcenter -> Bug #47051
univention-directory-manager-modules -> Bug #47052
<http://errata.software-univention.de/ucs/4.3/85.html> <http://errata.software-univention.de/ucs/4.3/86.html> <http://errata.software-univention.de/ucs/4.3/87.html>
*** Bug 41105 has been marked as a duplicate of this bug. ***
*** Bug 20611 has been marked as a duplicate of this bug. ***