446865 – ipa-server-install will log passwords to log files

Bug 446865 - ipa-server-install will log passwords to log files

Summary: ipa-server-install will log passwords to log files

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	freeIPA
Classification:	Retired
Component:	ipa-server
Sub Component:
Version:	1.0
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Rob Crittenden
QA Contact:	Chandrasekar Kannan
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	429034
TreeView+	depends on / blocked

Reported:	2008-05-16 14:48 UTC by Martin Nagy
Modified:	2016-07-26 23:46 UTC (History)
CC List:	3 users (show)
Fixed In Version:	freeipa-2.0.0-1.fc15
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-03-27 07:16:57 UTC
Embargoed:

Attachments	(Terms of Use)
Don't pass the DM password on the command-line, use a file (2.76 KB, patch) 2008-05-19 18:29 UTC, Rob Crittenden	no flags	Details \| Diff
View All

Description Martin Nagy 2008-05-16 14:48:17 UTC

Description of problem:
If ipa-server-install will for some reason fail, it may result
in passwords being logged to the installation log file.

Version-Release number of selected component (if applicable):
Latest git version: 6119f83799a70738170e19f3e2d833fdf4ecbc86

How reproducible:
use ipa-server install and make sure it will fail

Steps to Reproduce:
1.
2.
3.
  
Actual results:
2008-05-12 15:18:11,503 CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w aaaaaaaa -f
/tmp/tmpn3QE-F' returned non-zero exit status 32

Expected results:
2008-05-12 15:18:11,503 CRITICAL Failed to load bootstrap-template.ldif: Command
'/usr/bin/ldapmodify -h 127.0.0.1 -xv -D cn=Directory Manager -w hidden -f
/tmp/tmpn3QE-F' returned non-zero exit status 32

Additional info:

Comment 1 Rob Crittenden 2008-05-19 18:29:45 UTC

Created attachment 305990 [details]
Don't pass the DM password on the command-line, use a file

Comment 2 Rob Crittenden 2008-05-19 21:08:56 UTC

ipa-1-0: 649dcf6c445d99f13151eef4c518635e03d496a5
master: 6c87f831806af51539824244d684c2431b8e7af7

Comment 3 Yi Zhang 2008-05-22 22:33:33 UTC

QA Verified on May 22, 2008 (Yi)

Build used: May 22, 2008 (x64)

test run:
1. yum install ipa-server
2. change the file: /usr/share/ipa/bootstrap-template.ldif to different file
3. ipa-server-install

--- result: the install failed, but there is no password logged, test passed
2008-05-22 15:20:27,956 INFO
2008-05-22 15:20:27,957 DEBUG   [12/16]: adding default layout
2008-05-22 15:20:27,962 DEBUG [Errno 2] No such file or directory:
'/usr/share/ipa/bootstrap-template.ldif'
  File "/usr/sbin/ipa-server-install", line 556, in ?
    main()

  File "/usr/sbin/ipa-server-install", line 482, in main
    ds.create_instance(ds_user, realm_name, host_name, domain_name, dm_password)

  File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 182, in
create_instance
    self.start_creation("Configuring directory server:")

  File "/usr/lib/python2.4/site-packages/ipaserver/service.py", line 139, in
start_creation
    method()

  File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 359, in
__add_default_layout
    self.__ldap_mod("bootstrap-template.ldif", self.sub_dict)

  File "/usr/lib/python2.4/site-packages/ipaserver/dsinstance.py", line 279, in
__ldap_mod
    txt = ipautil.template_file(path, sub_dict)

Note You need to log in before you can comment on or make changes to this bug.