Issue #11094 has been updated by Dan Lowe.
Since Solaris also provides putspent(), sounds like a possible opportunity to factor out that Solaris-specific code... ---------------------------------------- Bug #11094: ruby-libshadow not being used on RHEL 6 https://projects.puppetlabs.com/issues/11094 Author: Dan Lowe Status: Accepted Priority: Normal Assignee: Category: security Target version: Affected Puppet version: 2.7.6 Keywords: useradd passwords Branch: To be honest, I am not sure if this should be a bug or feature request, but my reading of the documentation makes me think it's a possible bug. On my Solaris 8 and 10 systems, I have Puppet 2.7.6 running with ruby-libshadow, and users are added as expected, including their shadow passwords being handled. On RHEL 6, the users are being added properly, but during an audit we determined that there is information leakage during the add process. The password hash is being supplied to useradd via the "-p" flag. (Presumably this is also the case with usermod when the user already exists at the time of password set/change.) That creates a small but extant leakage where the hash is exposed to any user on the system via the process table (if only briefly). My understanding is that when libshadow is installed, Puppet is supposed to use it to handle shadow passwords, instead of using user{add,mod} -p. Is this intentional behavior, or is it abnormal that libshadow is not being used? I wrote a wrapper around useradd to capture the arguments it was passed, here is an example test user that was added. '-s' '/bin/bash' '-u' '9998' '-g' 'root' '-c' 'Dan Lowe' '-d' '/home/dantest8' '-p' 'EAY9JzzcL3kSz' '-M' 'dantest8' libshadow is installed on this system. $ gem list | grep shadow libshadow (1.0.0) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
