Issue #11094 has been updated by Josh Cooper. Category set to security Status changed from Investigating to Accepted Keywords set to useradd passwords
So the solaris `user_role_add` provider does not leak the hashed password because it directly writes to /etc/shadow (using a tempfile). The `useradd` provider on the other hand only uses ruby-shadow to read the password entries -- when determining if the passwords are in sync. However, when setting the password, it passes it on the command line, and has apparently done this forever. I'm not sure why it's not using Shadow::Passwd.putspent to set it (with appropriate locking), but clearly it should. ---------------------------------------- Bug #11094: ruby-libshadow not being used on RHEL 6 https://projects.puppetlabs.com/issues/11094 Author: Dan Lowe Status: Accepted Priority: Normal Assignee: Category: security Target version: Affected Puppet version: 2.7.6 Keywords: useradd passwords Branch: To be honest, I am not sure if this should be a bug or feature request, but my reading of the documentation makes me think it's a possible bug. On my Solaris 8 and 10 systems, I have Puppet 2.7.6 running with ruby-libshadow, and users are added as expected, including their shadow passwords being handled. On RHEL 6, the users are being added properly, but during an audit we determined that there is information leakage during the add process. The password hash is being supplied to useradd via the "-p" flag. (Presumably this is also the case with usermod when the user already exists at the time of password set/change.) That creates a small but extant leakage where the hash is exposed to any user on the system via the process table (if only briefly). My understanding is that when libshadow is installed, Puppet is supposed to use it to handle shadow passwords, instead of using user{add,mod} -p. Is this intentional behavior, or is it abnormal that libshadow is not being used? I wrote a wrapper around useradd to capture the arguments it was passed, here is an example test user that was added. '-s' '/bin/bash' '-u' '9998' '-g' 'root' '-c' 'Dan Lowe' '-d' '/home/dantest8' '-p' 'EAY9JzzcL3kSz' '-M' 'dantest8' libshadow is installed on this system. $ gem list | grep shadow libshadow (1.0.0) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
