package: debian-edu-config severity: important version: squeeze/r0
spaces need adequate quoting of the password variable in both gosa-sync and gosa.conf.
It is also very likely a security hazard in letting the user-supplied password string unquoted in those two files, whence severity=important.
following patch just adds the quoting, and was verified to fix the issue. -- Samuel Krempp
--- /etc/gosa/gosa.conf.befSK 2012-03-25 09:45:33.000000000 +0200 +++ /etc/gosa/gosa.conf 2012-03-25 09:50:10.000000000 +0200 @@ -44,7 +44,7 @@ <plugin acl="users/phoneAccount:self" class="phoneAccount"/> <plugin acl="users/nagiosAccount:self" class="nagiosAccount"/> <plugin acl="users/scalixAccount:self" class="scalixAccount"/> - <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD=%userPassword /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/> + <plugin acl="users/password:self" class="password" postmodify="USERPASSWORD="%userPassword" /usr/bin/sudo /usr/share/debian-edu-config/tools/gosa-sync %dn"/> </section> <!-- Section to enable administrative services --> --- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25 09:28:32.000000000 +0200 +++ /usr/share/debian-edu-config/tools/gosa-sync 2012-03-25 09:56:04.000000000 +0200 @@ -15,7 +15,6 @@ ## principal's one. RETVAL=0 - USERDN=$1 USERID=`echo $USERDN | sed "s/^uid=\([^,]*\),.*$/\1/"` @@ -30,7 +29,7 @@ IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true` if [ "$IAM" = "dn:$USERDN" ] ; then cat > $TMPFILE <<EOF -change_password -pw $USERPASSWORD $USERID +change_password -pw "$USERPASSWORD" $USERID EOF cat $TMPFILE | kadmin.local 2>&1 | logger -t gosa-sync -p notice logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.