[Openstack-devel] Bug#706032: Bug#706032: keystone: postinst replaces passwords in /etc/keystone/keystone.conf with sed

Salvatore Bonaccorso carnil at debian.org
Wed Apr 24 05:30:25 UTC 2013

Hi Thomas

Thank you for your quick reply.

On Wed, Apr 24, 2013 at 04:24:18AM +0800, Thomas Goirand wrote:
> On 04/24/2013 02:26 AM, Salvatore Bonaccorso wrote:
> > Package: keystone
> > Version: 2012.1.1-13
> > Severity: minor
> > 
> > Hi Thomas
> > 
> > 79 sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}' =
> > [...]
> > 586         pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
> > 
> > But this migth, for short time only, expose the password seen in the
> > process list, as the token is passed as command line argument world
> > readable.
> Hi Salvatore,
> Indeed, this is a problem. And it is more wide than you think, since in
> many openstack packages, I've been doing that to set the keystone
> service credentials in multiple places (eg: in Cinder, Glance, Heat,
> Nova and Quantum).

Jupp. I only looked at keystone right now.

> My Unix foo tells me that I could create a folder in /tmp, then use echo
> to write the sed parameters in it (since echo is built-in in most sh
> implementations), then finally use the -f parameter of sed. Though this
> seems a bit overkill, so I might want to do that only on some specific
> security concerned cases, which is problematic: it would easy to forget
> "--safe-replace-with-no-ps-aux" when calling pkgos_inifile.

Yes this should be ok. It will not expose the replacement. Only thing
which needs to be taken care is to not create predictable filenames.

> > The reason I originally to the postinst: keystone in wheezy/sid seems
> > to create a /etc/keystone/keystone.confe due to 
> > 
> >         AUTH_TOKEN=${RET:-ADMIN}
> >         sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF}
> > 
> > beeing used, so replacing the file creating a backupfile with ending
> > 'e'.
> Oh. I stared at the code trying to find out why it was generating these
> files ending with "e", and didn't find out (I don't think that part was
> written by me). Thanks for finding it. If I understand well, it is
> because sed is called using:
> sed -ie <expression> <file>
> instead of:
> sed -i -e <expression> <file>
> then the "e" is used as backup character. Right? That's a pretty stupid
> bug... :)

Yes exactly, this is the reason the keystone.confe file is created :).

Don't know, might be worth adding some small cleanup part in next
keystone upload.


More information about the Openstack-devel mailing list