Bug 667326 – '-s' option in sss_obfuscate command is a bit redundant.

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 667326 - '-s' option in sss_obfuscate command is a bit redundant.

Summary:	'-s' option in sss_obfuscate command is a bit redundant.

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd (Show other bugs)
Sub Component:
Version:	6.0
Hardware:	Unspecified Unspecified

Priority	low Severity medium
Target Milestone:	rc
Target Release:	---
Assigned To:	Stephen Gallagher
QA Contact:	Chandrasekar Kannan
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	579778
	Show dependency tree / graph

Reported:	2011-01-05 04:20 EST by Gowrishankar Rajaiyan
Modified:	2015-01-04 18:45 EST (History)
CC List:	6 users (show)

See Also:
Fixed In Version:	sssd-1.5.1-1.el6
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2011-05-19 07:42:07 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2011:0560	normal	SHIPPED_LIVE	Low: sssd security, bug fix, and enhancement update	2011-05-19 07:38:17 EDT

Groups: None (edit)

Description Gowrishankar Rajaiyan 2011-01-05 04:20:45 EST

Description of problem:
'-s' option in sss_obfuscate command is a bit redundant and functions the same even without '-s' option.

Version-Release number of selected component (if applicable):
sssd-1.5.1-0.2010122318git375e3e4.el6.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure a native ldap domain as specified in "Additional info" section.
2. Execute "sss_obfuscate -d LDAP"
3. Enter password and press "CTRL-d".
  
Actual results:
Obfuscated password gets added to the domain.


Expected results:
Either the password should be a command line option for "sss_obfuscate" or '-s' should be used to read input from stdin. The current behaviour of reading password from stdin without '-s' makes this option a bit redundant. 

No password and without '-s' option should display the usage message.


Additional info:
[domain/LDAP]
ldap_tls_reqcert = never
ldap_id_use_start_tls = False
cache_credentials = False
ldap_search_base = dc=example,dc=com
id_provider = ldap
auth_provider = ldap
ldap_default_bind_dn = uid=puser1,ou=People,dc=example,dc=com
ldap_tls_cacertdir = /etc/openldap/cacerts
debug_level = 9
min_id = 1000
ldap_uri = ldaps://ldap.server.redhat.com:636
enumerate = True
ldap_schema = rfc2307
ldap_tls_cacert = /etc/openldap/cacerts/cacert.asc

Comment 2 Stephen Gallagher 2011-01-05 07:00:25 EST

The -s option does seem redundant, yes. It should probably be removed. I don't think we want to pass the password at the commandline, though. That's vulnerable to process-monitoring programs to see what the password was.

This is why we have the -f/--file option to sss_obfuscate. It guarantees that the password isn't visible in the process table.

I think our approach here should be to drop the -s option and update the manpage to note that the password is read from stdin unless -f is specified.

Comment 3 Gowrishankar Rajaiyan 2011-01-05 12:39:27 EST

As per man sss_obfuscate,

<snip>
       -f,--file FILE
           Read the config file specified by the positional parameter.
           Default: /etc/sssd/sssd.conf
</snip>

This option just reads the specified config file.

Comment 4 Stephen Gallagher 2011-01-05 12:47:59 EST

Whoops, I misread that. So yeah, we just need to kill the -s option since it's useless.

My other comment about not passing it at the command-line stands, though.

Comment 6 Stephen Gallagher 2011-01-20 10:11:29 EST

Upstream ticket https://fedorahosted.org/sssd/ticket/768 has resolved this issue by changing the default behavior with no arguments passed. It will now perform an interactive request for the password. Thus, the -s input to read from stdin now makes sense.

Comment 9 Gowrishankar Rajaiyan 2011-03-21 02:38:01 EDT

sss_obfuscate command does not read the password from stdin without '-s', as expected. 


#  rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 14.el6                        Build Date: Wed 09 Mar 2011 02:30:12 PM EST
Install Date: Mon 21 Mar 2011 01:14:19 AM EDT      Build Host: x86-009.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-14.el6.src.rpm
Size        : 3418526                          License: GPLv3+
Signature   : RSA/8, Thu 10 Mar 2011 11:27:42 AM EST, Key ID 938a80caf21541eb
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Comment 10 errata-xmlrpc 2011-05-19 07:42:07 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Comment 11 errata-xmlrpc 2011-05-19 09:09:04 EDT

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html

Note You need to log in before you can comment on or make changes to this bug.