[Openstack-devel] Bug#706032: Bug#706032: keystone: postinst replaces passwords in /etc/keystone/keystone.conf with sed
Salvatore Bonaccorso
carnil at debian.org
Wed Apr 24 05:30:25 UTC 2013
Hi Thomas
Thank you for your quick reply.
On Wed, Apr 24, 2013 at 04:24:18AM +0800, Thomas Goirand wrote:
> On 04/24/2013 02:26 AM, Salvatore Bonaccorso wrote:
> > Package: keystone
> > Version: 2012.1.1-13
> > Severity: minor
> >
> > Hi Thomas
> >
> > 79 sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}' =
> '${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
> > [...]
> > 586 pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
> >
> > But this migth, for short time only, expose the password seen in the
> > process list, as the token is passed as command line argument world
> > readable.
>
> Hi Salvatore,
>
> Indeed, this is a problem. And it is more wide than you think, since in
> many openstack packages, I've been doing that to set the keystone
> service credentials in multiple places (eg: in Cinder, Glance, Heat,
> Nova and Quantum).
Jupp. I only looked at keystone right now.
> My Unix foo tells me that I could create a folder in /tmp, then use echo
> to write the sed parameters in it (since echo is built-in in most sh
> implementations), then finally use the -f parameter of sed. Though this
> seems a bit overkill, so I might want to do that only on some specific
> security concerned cases, which is problematic: it would easy to forget
> "--safe-replace-with-no-ps-aux" when calling pkgos_inifile.
Yes this should be ok. It will not expose the replacement. Only thing
which needs to be taken care is to not create predictable filenames.
> > The reason I originally to the postinst: keystone in wheezy/sid seems
> > to create a /etc/keystone/keystone.confe due to
> >
> > AUTH_TOKEN=${RET:-ADMIN}
> > sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF}
> >
> > beeing used, so replacing the file creating a backupfile with ending
> > 'e'.
>
> Oh. I stared at the code trying to find out why it was generating these
> files ending with "e", and didn't find out (I don't think that part was
> written by me). Thanks for finding it. If I understand well, it is
> because sed is called using:
> sed -ie <expression> <file>
>
> instead of:
> sed -i -e <expression> <file>
>
> then the "e" is used as backup character. Right? That's a pretty stupid
> bug... :)
Yes exactly, this is the reason the keystone.confe file is created :).
Don't know, might be worth adding some small cleanup part in next
keystone upload.
Regards,
Salvatore
More information about the Openstack-devel
mailing list