Issue #11094 has been reported by Dan Lowe.
----------------------------------------
Bug #11094: ruby-libshadow not being used on RHEL 6
https://projects.puppetlabs.com/issues/11094
Author: Dan Lowe
Status: Unreviewed
Priority: Normal
Assignee:
Category:
Target version:
Affected Puppet version: 2.7.6
Keywords:
Branch:
To be honest, I am not sure if this should be a bug or feature request, but my
reading of the documentation makes me think it's a possible bug.
On my Solaris 8 and 10 systems, I have Puppet 2.7.6 running with
ruby-libshadow, and users are added as expected, including their shadow
passwords being handled.
On RHEL 6, the users are being added properly, but during an audit we
determined that there is information leakage during the add process. The
password hash is being supplied to useradd via the "-p" flag. (Presumably this
is also the case with usermod when the user already exists at the time of
password set/change.) That creates a small but extant leakage where the hash is
exposed to any user on the system via the process table (if only briefly).
My understanding is that when libshadow is installed, Puppet is supposed to use
it to handle shadow passwords, instead of using user{add,mod} -p. Is this
intentional behavior, or is it abnormal that libshadow is not being used?
I wrote a wrapper around useradd to capture the arguments it was passed, here
is an example test user that was added.
'-s' '/bin/bash' '-u' '9998' '-g' 'root' '-c' 'Dan Lowe' '-d' '/home/dantest8'
'-p' 'EAY9JzzcL3kSz' '-M' 'dantest8'
libshadow is installed on this system.
$ gem list | grep shadow
libshadow (1.0.0)
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
