On Mon, Oct 08, 2007 at 02:57:42PM +0000, Ganael LAPLANCHE wrote: > On Mon, 08 Oct 2007 14:10:21 +0200, Pierre Habouzit wrote > > Hi Pierre, > > > > Unless you're running grsecurity or some other patched kernel, the > > > following cannot be good: > > > > > > $LDAPPASSWDBIN -w "$BINDPWD" -D "$BINDDN" -xH "ldap://$SERVER"; -s "$1" > > > "$2" 2>>"$LOGFILE" 1>/dev/null > > Thanks for the forward. > > Two passwords appear in clear-text format here : $BINDPWD (the one used for > any > ldapscripts connection) and $1 (the new one, to be changed for a given user). > The first one appears in any function defined in the runtime file (easy to > grep > : BINDPWD), the second one is only used in _changepassword() to change a > user's > password. > > Is it a matter of making the first one appear ? The second one, or both ? I > understand these security issues, but my opinion is the scripts should only be > used by a small set of users (e.g. *very* limited rx access to a specific > user/group for config, runtime and script files). Since the password (at least > the one used for binding) has to be sent clear-text to the LDAP directory, it > has to be stored clear-text somewhere locally, and thus, any allowed user can > source the conf file. I'm not sure storing it in a temp file would solve the > problem... > > Any further explanation of the problem is welcome since I am not sure to > understand the problem correctly...
The issue is that when the commands are run, the arguments can be seen in clear text in `ps aux` output. So not only that script has the issue, the parts where you sed -e "s/<password>/$PASSWORD/g" are vulnerable too. I understand the issue is not that obvious to fix, but this is an issue in a multiuser environment, even if small (in my company we use ldap, we don't want our interns to run busy psaux loops to steal the ldap password …). -- ·O· Pierre Habouzit ··O [EMAIL PROTECTED] OOO http://www.madism.org
pgpgeFBU5OoTX.pgp
Description: PGP signature
