[request-tracker-maintainers] Bug#475730: request-tracker3.6: should prompt for initial root password

[Dominic Hargreaves]

On Sat, Apr 12, 2008 at 06:26:34PM +0300, Niko Tyni wrote:
> Package: request-tracker3.6
> Version: 3.6.6-2
> Severity: normal
> 
> The initial password for the RT superuser 'root' (separate from the
> local root account, of course) is currently set to 'password' on new
> installs. 
> 
> As the database is now created automatically since 3.6.6-2, this would be
> a gaping security hole if the system was reachable on the web after the
> default install. As things are, the web server must first be configured
> manually, so things are not quite that bad.
> 
> The right thing to do would be to prompt for the initial password via
> debconf. This requires changes to rt-setup-database, and I'm not sure
> yet if I'll implement this for Lenny, but I'm filing this as a reminder
> in any case.

We could do this quite simply with a script to manually set
the password after rt-setup-database would run, without having to 
patch rt-setup-database, but it would make most sense to put the
functionality in rt-setup-database, because:

a) the database connection logic is already there
b) we can avoid a potential attack window where the password is set to
a known value.

We would patch initialdata to remove the default password on the root
account, and patch rt-setup-database to separately set the password on
the root account (perhaps within action_insert, perhaps with a separate
action). It should be possible to use standard RT API methods (ie
RT::User->SetPassword) to do this.

One complication here is finding a secure channel for communication
between the postinst and rt-setup-database. We could make rt-setup-database
prompt for the password and then use expect or similar, but this is
hacky. We could use a command line option or environment variable, but 
these are not necessarily secure.

We could use a temporary file containing a password, which would be okay,
or we could use a direct call to debconf via perl APIs. The latter would
be the most elegant but would make the patch completely Debian-specific,
whereas a separate file-based approach would make it suitable for inclusion
upstream. Being able to set a safe password should benefit non-Debian
users, so we should aim to do this.

Another approach, which I considered and rejected is to take a copy
of the initialdata in $TMPDIR and substitute the user input password
there, and then pass the new initialdata file to rt-setup-database via
--datafile. This would have avoided having to modify rt-setupdatabase.
The problem here is that --datafile is not suitable for use in the
'init' stage, because it would try and use the same file for the schema
and ACLs.

-- 
Dominic Hargreaves | http://www.larted.org.uk/~dom/
PGP key 5178E2A5 from the.earth.li (keyserver,web,email)