[Openstack-devel] Bug#706032: keystone: postinst replaces passwords in /etc/keystone/keystone.conf with sed
Salvatore Bonaccorso
carnil at debian.org
Tue Apr 23 18:26:41 UTC 2013
Package: keystone
Version: 2012.1.1-13
Severity: minor
Hi Thomas
Looking at the keystone postinst and rembering some comments on
#debian-security, noticed that the keystone postinst does replacements
with sed as follows:
74 if [ "x${INIFILE_ACCESS_MODE}" = "xset" ] ; then
75 if [ "${DIRECTIVE_TYPE}" = "equal" ] ; then
76 if [ "${INIFILE_SHELL_INCLUDE}" = "yes" ] ; then
77 sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}'='${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
78 else
79 sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}' = '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
80 fi
81 else
82 sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}': '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
83 fi
84 fi
[...]
578 # Create keystone.conf if it's not there
579 pkgos_write_new_conf keystone keystone.conf
580 # Set the auth_token directive in in keystone.conf
581 db_get keystone/auth-token
582 AUTH_TOKEN=${RET}
583 if [ -z "${AUTH_TOKEN}" ] ; then
584 AUTH_TOKEN=`pkgos_gen_pass`
585 fi
586 pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
But this migth, for short time only, expose the password seen in the
process list, as the token is passed as command line argument world
readable.
The reason I originally to the postinst: keystone in wheezy/sid seems
to create a /etc/keystone/keystone.confe due to
AUTH_TOKEN=${RET:-ADMIN}
sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF}
beeing used, so replacing the file creating a backupfile with ending
'e'.
Thank you for your work on the openstack packages!
Regards,
Salvatore
More information about the Openstack-devel
mailing list