On Mon, Oct 08, 2007 at 05:52:29PM +0000, Ganael LAPLANCHE wrote: > On Mon, 08 Oct 2007 18:04:49 +0200, Pierre Habouzit wrote > > The issue is that when the commands are run, the arguments can be > > seen in clear text in `ps aux` output. > > > > So not only that script has the issue, the parts where you sed -e > > "s/<password>/$PASSWORD/g" are vulnerable too. > > Hi again Pierre, > > Yes, this is a really *big* issue. This is why one should prevent users to see > processes running with another uid and/or gid (e.g. > security.bsd.see_other_[u|g]ids sysctls on FreeBSD and hardened kernels on > GNU/Linux) ! > > Unfortunalety, this is not always possible and there is no simple way to fix > this flaw. Note this is not related to the ldapscripts : any admin running a > 'standard' ldapadd command (or ldapmodify, ...) with the -w switch will > encounter the same problem. > > I'll try to have a look at it. The idea of a file containing the passwd could > be > good... Any other idea is welcome :)
IMHO the best fix is to have in your "runtime" file sth like:
$SAFE_TMPDIR=`mktemp -d` || die "unable to create safe temporary directory"
trap "rm -rf $SAFE_TMPDIR" 0
This way, when any script ends, all the temporary safe directory gets
removed.
Then you can create whichever file you want, even using predefined
filenames if you want to. sed and ldappasswd are both able to read their
commands in a file. Also one could argue that "echo $PASSWD" is safe in
many shells where echo is a builtin.
You could ensure that it's the case using:
if ! (type echo || die "shell has no 'type' builtin") | grep -q builtin; then
die "echo is not a builtin, ldapscripts won't be safe"
fi
I tried in bash, dash, posh and zsh. it detects properly that posh
isn't suitable.
So that you can build the sed scripts using:
echo "$PASSWORD" >> foo.sed
in a safe way.
--
·O· Pierre Habouzit
··O [EMAIL PROTECTED]
OOO http://www.madism.org
pgpRkIutkwFqJ.pgp
Description: PGP signature
