[Debconf-devel] Bug#711693: debconf-set-selection: leave clear text password entries behind in templates.dat
Petter Reinholdtsen
pere at hungry.com
Sat Jun 8 19:17:07 UTC 2013
Package: debconf-utils
Version: 1.5.49
Severity: important
Tags: patch
User: debian-edu at lists.debian.org
Usertags: debian-edu
We recently discovered a problem with the Wheezy version of Debian Edu
we are working on. The clear text password of root and the first user
would show up in /var/cache/debconf/templates.dat and
/var/cache/debconf/templates.dat-old, even if we had code in our
installation hooks to remove the passwords from debconf once they had
been used to set up Kerberos and LDAP.
I traced it down to our use of debconf-set-selections to pass the
passwords into the debconf database in /target/, and the code that look
like this:
sub load_answer {
my ($owner, $label, $type, $content) = @_;
info "Loading answer for '$label'";
my $template=Debconf::Template->get($label);
if (! $template) {
$template=Debconf::Template->new($label, $owner, $type);
$template->description("Dummy template");
$template->extended_description("This is a fake template used to pre-seed the debconf database. If you are seeing this, something is probably wrong.");
}
else {
$template->default($content);
}
[...]
$question->value($content);
[...]
}
When using debconf-set-selectoins to set a password in a template that
is already loaded, the $template->default() code path is used, and this
in turn cause a 'Default: clear-text-password' to show up in
templates.dat. The clear-text-password string is also added as a
value that show up in passwords.dat. When we clear the password later
in the installation using
db_set debian-edu-config/kdc-password ""
this only clear the value in passwords.dat, but not the one in
templates.dat - causing the clear text password to be available after
installation. This is a security problem.
I am unable to understand why the default value is updated by
debconf-set-selections, but believe it is a bad idea to do so for
templates with the password type. Because of this, I propose the
following patch:
Index: debconf-set-selections
===================================================================
--- debconf-set-selections (revisjon 77643)
+++ debconf-set-selections (arbeidskopi)
@@ -51,7 +51,9 @@
$template->extended_description("This is a fake template used to pre-seed the debconf database. If you are seeing this, something is probably wrong.");
}
else {
- $template->default($content);
+ if ("password" ne $type) {
+ $template->default($content);
+ }
}
$template->type($type);
This fixed the problem for Debian Edu. Luckily we already had our own
version of debconf-set-selection, so we could fix the problem on our
end, but I believe the problem should be fixed for everyone using
debconf-set-selections to store passwords. :)
--
Happy hacking
Petter Reinholdtsen
More information about the Debconf-devel
mailing list