Package: keystone
Version: 2012.1.1-13
Severity: minor
Hi Thomas
Looking at the keystone postinst and rembering some comments on
#debian-security, noticed that the keystone postinst does replacements
with sed as follows:
74 if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ;
then
75 if [ "${DIRECTIVE_TYPE}" = "equal"
] ; then
76 if [
"${INIFILE_SHELL_INCLUDE}" = "yes" ] ; then
77 sed -i
${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}'='${INIFILE_NEW_VALUE}'|'
${INIFILE_MYCONFIG}
78 else
79 sed -i
${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}' = '${INIFILE_NEW_VALUE}'|'
${INIFILE_MYCONFIG}
80 fi
81 else
82 sed -i ${INIFILE_CNT}'
s|.*|'${INIFILE_DIRECTIVE}': '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
83 fi
84 fi
[...]
578 # Create keystone.conf if it's not there
579 pkgos_write_new_conf keystone keystone.conf
580 # Set the auth_token directive in in keystone.conf
581 db_get keystone/auth-token
582 AUTH_TOKEN=${RET}
583 if [ -z "${AUTH_TOKEN}" ] ; then
584 AUTH_TOKEN=`pkgos_gen_pass`
585 fi
586 pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
But this migth, for short time only, expose the password seen in the
process list, as the token is passed as command line argument world
readable.
The reason I originally to the postinst: keystone in wheezy/sid seems
to create a /etc/keystone/keystone.confe due to
AUTH_TOKEN=${RET:-ADMIN}
sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|'
${KEY_CONF}
beeing used, so replacing the file creating a backupfile with ending
'e'.
Thank you for your work on the openstack packages!
Regards,
Salvatore
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
