Bug 469589 - SECURITY: testsaslauthd requires plaintext password on command line
SECURITY: testsaslauthd requires plaintext password on command line
Status: CLOSED UPSTREAM
Product: Fedora
Classification: Fedora
Component: cyrus-sasl (Show other bugs)
9
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-02 17:44 EST by D. Wagner
Modified: 2008-11-03 03:32 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-03 03:31:52 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description D. Wagner 2008-11-02 17:44:54 EST
Description of problem:

/usr/sbin/testsaslauthd requires the password to be specified on the command line with the -p flag in plaintext.  There is no provision to provide a password via any other mechanism.

This is a security vulnerability (testsaslauthd is "insecure by design").  Command-line arguments are visible to other users in 'ps'.  They are also recorded in .history files, so they will be stored to disk and may persist for an unpredictable amount of time.

You may be tempted to think that this doesn't matter because testsaslauthd is just for testing.  But it is a violation of my security policy to EVER type my password in a place that could cause it to be visible to others or stored in plaintext on my hard disk.  As a result testsaslauthd is not usable by those who must follow similar policies.

Suggestion: Provide a way to specify the password on stdin.


Version-Release number of selected component (if applicable):

# rpm -q -f /usr/sbin/testsaslauthd
cyrus-sasl-2.1.22-15.fc9.x86_64


How reproducible:

This functionality is part of the design of testsaslauthd so is 100% reproducible.


This is a security-related defect but there is no reason to keep it confidential, as the security vulnerability is obvious to anyone who uses the program or reads the manual page.
Comment 1 Tomas Mraz 2008-11-03 03:32:17 EST
Upstream bug https://bugzilla.andrew.cmu.edu/show_bug.cgi?id=3116

Note You need to log in before you can comment on or make changes to this bug.