Bug 744422
Summary: | Leaks KDC password and master password via command line arguments | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | Dmitri Pal <dpal> |
Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | IDM QE LIST <seceng-idm-qe-list> |
Severity: | medium | Docs Contact: | |
Priority: | unspecified | ||
Version: | 6.1 | CC: | jgalipea, mkosek, rcritten |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-2.1.3-1.el6 | Doc Type: | Bug Fix |
Doc Text: |
Cause: When the IPA server is being installed ipa-server-install call kdb5_ldap_util to populate the directory with realm info. It passes a Kerberos master database password and Kerberos directory password as its parameters.
Consequence: Any user listing all running processes during IPA server installation may be able to catch these passwords
Fix: kdb5_ldap_util interactive mode is used to pass the passwords rather that CLI parameters
Result: Passwords are not visible in process listing during IPA server installation so that no user can catch them
|
Story Points: | --- |
Clone Of: | 744373 | Environment: | |
Last Closed: | 2011-12-06 18:42:38 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 744373, 745580 | ||
Bug Blocks: | 748554 |
Description
Dmitri Pal
2011-10-08 15:23:12 UTC
*** Bug 745580 has been marked as a duplicate of this bug. *** Fixed upstream: master: 0d823ddc4e5fa7f8bdecb590b4ebd129106b063f ipa-2-1: 7a5d906d03af6ee551036a841f71082fc66fa41b Needs steps to reproduce/verify this bug. Can by partly verified by code inspection: are we using the -P and -w options any more? Installing the server successfully confirms that the patch does not cause a regression. If Kerberos works at all with the resulting server then the patch is ok. verified: <snip> def __create_instance(self, replica=False): self.__template_file("/var/kerberos/krb5kdc/kdc.conf", chmod=None) self.__template_file("/etc/krb5.conf") self.__template_file("/usr/share/ipa/html/krb5.ini") self.__template_file("/usr/share/ipa/html/krb.con") self.__template_file("/usr/share/ipa/html/krbrealm.con") if not replica: #populate the directory with the realm structure args = ["kdb5_ldap_util", "-D", "uid=kdc,cn=sysaccounts,cn=etc,"+self.suffix, "create", "-s", "-r", self.realm, "-subtrees", self.suffix, "-sscope", "sub"] dialogue = ( # Password for "uid=kdc,cn=sysaccounts,cn=etc,...": self.kdc_password + '\n', # Enter KDC database master key: self.master_password + '\n', # Re-enter KDC database master key to verify: self.master_password + '\n', ) try: ipautil.run(args, nolog=(self.kdc_password, self.master_password), stdin=''.join(dialogue)) except ipautil.CalledProcessError, e: print "Failed to populate the realm structure in kerberos", e </snip> version: ipa-server-2.1.3-3.el6.x86_64 Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Cause: When the IPA server is being installed ipa-server-install call kdb5_ldap_util to populate the directory with realm info. It passes a Kerberos master database password and Kerberos directory password as its parameters. Consequence: Any user listing all running processes during IPA server installation may be able to catch these passwords Fix: kdb5_ldap_util interactive mode is used to pass the passwords rather that CLI parameters Result: Passwords are not visible in process listing during IPA server installation so that no user can catch them Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2011-1533.html |