Ns7b2 password in secure log

mark_nl · October 6, 2016, 4:46pm

Hi there,

It’s been a while but i’m picking up on the nethserver project; NICE WORK with ns7beta 2 !
Trying to understand the SSSD/pam/posix-/shadowaccounts, i have a look with openldap as account provider. Doing so i’ve noticed passwords are stored in plain text in the secure log after a user is created.

from secure log:
... ns7b2 sudo: srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/validate password-strength Users <PasswInPlainText>

Probably my fault complaining about that Crypt-Cracklib
Nevertheless this does the secure log no right…

I have some other questions, but first i going to search the forum or try to figure them out myself.

Cheers Mark

davidep · October 7, 2016, 2:54pm

Good catch @mark_nl!

We must hide user’s password from root’s eyes

I think this is a bug, what do you think @Stll0 ?

This is mitigated by the fact /var/log/secure can be read only by root. Moreover, the password could be entered by the admin himself! I must investigate other use cases though, like user changing password to himself.

giacomo · October 7, 2016, 3:34pm

I suggest to simply discard these messages from logging:

cat << EOF > /etc/rsyslog.d/password-strenght.conf
:msg, contains, "COMMAND=/sbin/e-smith/validate password-strength" stop
EOF
systemctl restart rsyslog

What do you think?

mark_nl · October 7, 2016, 4:10pm

Yes i know it is root only, linux goes though great extends to hash all the passwords,
so thought it’s not appropriate to “store” it a log file.

Works oke

davidep · October 7, 2016, 4:17pm

This is a quick and dirty solution. I’d prefer the password isn’t passed to the log subsystem at all, like the password-changing action does.

Let me evaluate an alternative solution…

davidep · October 13, 2016, 3:27pm

Opened issue with PR

fasttech · October 13, 2016, 9:52pm

I get this without ‘changing the root password’.
Oct 13 11:01:23 server7c sudo: srvmgr : TTY=unknown ; PWD=/usr/share/nethesis/nethserver-manager ; USER=root ; COMMAND=/sbin/e-smith/validate password-strength Users plaintextpwd

davidep · October 14, 2016, 6:44am

Right, as I stated in the bug description

This happens also if a domain account provider is installed and root wants to change an other user’s password, or an other user wants to change his own password.

We’re pushing an RPM on nethserver-testing soon! Stay tuned!

alefattorini · October 14, 2016, 3:33pm

It’s in testing now, would you mind verifying it @fasttech @mark_nl ?

fasttech · October 14, 2016, 5:46pm

I tested and commented on github.

mark_nl · October 17, 2016, 1:20pm

+1, can be closed