On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote: > In Erkelenz a group of developers wanted to work on a user > administration tool. This group is formed by: Christian Kuelker, > Benjamin Sonntag, Thomas Courbeil, Xavier Oswald, Jean Charles > Siegel Sorry if I forgot somebody.
Great to hear! > The idea was to use the very good work made by Christian Kuelker > with CiPux. Cipux is a whole of very powerful Perl scripts which > makes it possible to manage LDAP. I studied some of the CiPux-code a bit, and there are several security issues which must be fixed before we can using this in our Debian-Edu/Skolelinux distribution. I've found examples in the code where passwords are send to the command-line. One example in get_value.pl [1] where the LDAP-password is provided on the command-line to LDAP-commandline utilities. In another file [2] passwords, crypts and some NT-passwordhashes are written directly in the logfile which is, in my eyes, far away from acceptable. First of all I hope that the pepole that have implemented a solution based on CiPux have restricted the access to the CiPux logfile! Second, the problem with the passwords in commands called in perl is that a student can watch the processlist with e.g. 'ps ax' and be able to pick up passwords for users or machines. If we can get the CiPux-framework free for these kind of bugs, we should start the process of packaging it and uploading it to Debian. > The proposition is to add an interface for CiPux in the Intranet > made by the French team with Moodle. The solution adopted in > Erkelenz is to create a RPC engine which controls CiPux and which > can interact with various interfaces: > modules moodle > CAT' in PHP > Somethink in java > PAS > ... > > If you want to see the work made on the Intranet, you can have a > look at http://moodle.skolelinux.fr/ > > We can announce that the RPC engine is running. The source code of > this work can be found in the fr branch in the moodle ldap > package. > > At the beginning of the next month, two students will start to write > the interface for Moodle. We hope that this work will be ready for > the Dev Camp. Unfortunately I don't have any Moodle-knowledge, but do you know how hard/easy it will be to make a CiPux-plugin written for Moodle preconfigured for our Debian-Edu/Skolelinux distribution? At least you should make sure the students write the configuration part of the plugin with this in mind. > This work is a first result from the collaboration started between > the French and German team and of course everybody must feel free to > join this work even if hes not French or German ;) I believe that working together across the country borders is how we all will have a better product to offer our "customers", and I hope that many will contribute so we'll have a nicer utility for user administration tool ready this summer when Debian starts the freeze for etch. I hope that my comments about CiPux are taken seriously as I believe the problems commented are very serious in a security point of view. - Werner [1] http://cvs.cipworx.org/cvsweb.cgi/cipux/cibot/src/bin/get_value.pl?rev=1.2 [2] http://cvs.cipworx.org/cvsweb.cgi/cipux/cibot/src/bin/add.pl?rev=1.5 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
