Am Montag, den 3 April hub Christian Kuelker folgendes in die Tasten: Hi!
> On Fri, Mar 24, 2006 at 06:33:22PM +0100, Morten Werner Olsen wrote: > > On Wed, Mar 22, 2006 at 02:40:07PM +0100, Thierry STAUDER wrote: > > > The idea was to use the very good work made by Christian Kuelker > > > with CiPux. Cipux is a whole of very powerful Perl scripts which > > > makes it possible to manage LDAP. > > I studied some of the CiPux-code a bit, and there are several security > > issues which must be fixed before we can using this in our > > Debian-Edu/Skolelinux distribution. I've found examples in the code > > where passwords are send to the command-line. One example in > > get_value.pl [1] where the LDAP-password is provided on the > > command-line to LDAP-commandline utilities. > This is a issue and its must be changed. It is serious on woddy, but > not that serious on sarge, because the password will not be shown up > in the processlist. We are working on that and there are some sugestions > discussed in the german team to solve this. This should only be a matter > of time. We can discuss this here also if this is desired in a different > tread. If you write in perl, why not use the perl LDAP API? No system call, no entry in the process list, no password to be read. > > In another file [2] passwords, crypts and some NT-passwordhashes are > > written directly in the logfile which is, in my eyes, far away from > > acceptable. > ok, there where no concerns to that from the german team so far, but > its is no problem to cut that off. (the log was set to 700 > accessible only for root) Don't log passwords. *If* you *really* want to do so, define another special option for exactly that task, e.g. $password_debug and set it to "false" in default and write a big warning around it. > > First of all I hope that the pepole that have implemented a solution > > based on CiPux have restricted the access to the CiPux logfile! > It should be done by installation, (debug) logging is off by default. > > Second, the problem with the passwords in commands called in perl is > > that a student can watch the processlist with e.g. 'ps ax' and be able > > to pick up passwords for users or machines. > Yes this is an issue which will gone away with the new RPC daemon, > implemnted in France. Still under development, but will be finished > in April. Again: Net::LDAP is a IMO nice working API to access LDAP from Perl without any execs. > > If we can get the CiPux-framework free for these kind of bugs, we > > should start the process of packaging it and uploading it to Debian. > I agree on that. > So please mail the things (bugs or feature requests). > Where should this be listet? > May be: http://www.skolelinux.de/wiki/CipUX/Requests [...] Ciao Max -- May the source be with you. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
