Steven Chamberlain a écrit, le 27/03/2012 01:54:
Hi,
On 26/03/12 10:05, Petter Reinholdtsen wrote:
The fix for gosa.conf is not upgradable, so we need to come up with a
better idea.
The fix won't work. Using quotes in gosa.conf is no good if the
%userPassword substitution could contain double quotes.
yes the patch to gosa.conf I had first sent has to be reversed if GOsa
is upgraded to escape userPassword (in functions.inc).
With such an escaped %userPassword the variable can be sent to the
gosa-sync script untampered, then the only thing to do is make sure
gosa-sync handles it correctly : re-quote it to be used in kadmin,
because kadmin only uses double quotes.
Without that, it is possible, and fairly easy, for a user to exploit
%userPassword to send any command to kadmin, run as root, which is a
pretty big vulnerability at the moment.
That's why I had send that patch to gosa-sync, which is the only thing
to patch once GOsa's functions.inc is upgraded.
--- /usr/share/debian-edu-config/tools/gosa-sync.orig 2012-03-25
09:28:32.000000000 +0200
+++ /usr/share/debian-edu-config/tools/gosa-sync 2012-03-26
15:34:13.000000000 +0200
@@ -28,9 +28,10 @@
$USERPASSWORD
EOF
IAM=`ldapwhoami -x -Z -y $TMPFILE -D $USERDN 2>/dev/null || true`
+EUSERPASSWORD=`cat $TMPFILE | sed -e 's/"/""/g'` # escapes " because kadmin
need to use double quotes
if [ "$IAM" = "dn:$USERDN" ] ; then
cat > $TMPFILE <<EOF
-change_password -pw $USERPASSWORD $USERID
+change_password -pw "$EUSERPASSWORD" $USERID
EOF
cat $TMPFILE | kadmin.local 2>&1 | logger -t gosa-sync -p notice
logger -t gosa-sync -p notice Kerberos password for \'$USERID\' changed.