[Openstack-devel] Bug#706032: keystone: postinst replaces passwords in /etc/keystone/keystone.conf with sed

Salvatore Bonaccorso carnil at debian.org
Tue Apr 23 18:26:41 UTC 2013

Package: keystone
Version: 2012.1.1-13
Severity: minor

Hi Thomas

Looking at the keystone postinst and rembering some comments on
#debian-security, noticed that the keystone postinst does replacements
with sed as follows:

 74                                 if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then
 75                                         if [ "${DIRECTIVE_TYPE}" = "equal" ] ; then
 76                                                 if [ "${INIFILE_SHELL_INCLUDE}" = "yes" ] ; then
 77                                                         sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}'='${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
 78                                                 else
 79                                                         sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}' = '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
 80                                                 fi
 81                                         else
 82                                                 sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}': '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
 83                                         fi
 84                                 fi
578         # Create keystone.conf if it's not there
579         pkgos_write_new_conf keystone keystone.conf
580         # Set the auth_token directive in in keystone.conf
581         db_get keystone/auth-token
582         AUTH_TOKEN=${RET}
583         if [ -z "${AUTH_TOKEN}" ] ; then
584                 AUTH_TOKEN=`pkgos_gen_pass`
585         fi
586         pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}

But this migth, for short time only, expose the password seen in the
process list, as the token is passed as command line argument world

The reason I originally to the postinst: keystone in wheezy/sid seems
to create a /etc/keystone/keystone.confe due to 

        sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF}

beeing used, so replacing the file creating a backupfile with ending

Thank you for your work on the openstack packages!


More information about the Openstack-devel mailing list