[Openstack-devel] Bug#706032: Bug#706032: keystone: postinst replaces passwords in /etc/keystone/keystone.conf with sed

Thomas Goirand zigo at debian.org
Tue Apr 23 20:24:18 UTC 2013


On 04/24/2013 02:26 AM, Salvatore Bonaccorso wrote:
> Package: keystone
> Version: 2012.1.1-13
> Severity: minor
> 
> Hi Thomas
> 
> 79 sed -i ${INIFILE_CNT}' s|.*|'${INIFILE_DIRECTIVE}' =
'${INIFILE_NEW_VALUE}'|' ${INIFILE_MYCONFIG}
> [...]
> 586         pkgos_inifile set ${KEY_CONF} DEFAULT admin_token ${AUTH_TOKEN}
> 
> But this migth, for short time only, expose the password seen in the
> process list, as the token is passed as command line argument world
> readable.

Hi Salvatore,

Indeed, this is a problem. And it is more wide than you think, since in
many openstack packages, I've been doing that to set the keystone
service credentials in multiple places (eg: in Cinder, Glance, Heat,
Nova and Quantum).

My Unix foo tells me that I could create a folder in /tmp, then use echo
to write the sed parameters in it (since echo is built-in in most sh
implementations), then finally use the -f parameter of sed. Though this
seems a bit overkill, so I might want to do that only on some specific
security concerned cases, which is problematic: it would easy to forget
"--safe-replace-with-no-ps-aux" when calling pkgos_inifile.

Do you have an idea what is the best way to fix this?
Thoughts?

In case you don't add comments, I'll use the above, always. I'd rather
be safe than fast.

> The reason I originally to the postinst: keystone in wheezy/sid seems
> to create a /etc/keystone/keystone.confe due to 
> 
>         AUTH_TOKEN=${RET:-ADMIN}
>         sed -ie 's|^[ \t]*admin_token[ \t]*=.*|admin_token = '${AUTH_TOKEN}'|' ${KEY_CONF}
> 
> beeing used, so replacing the file creating a backupfile with ending
> 'e'.

Oh. I stared at the code trying to find out why it was generating these
files ending with "e", and didn't find out (I don't think that part was
written by me). Thanks for finding it. If I understand well, it is
because sed is called using:
sed -ie <expression> <file>

instead of:
sed -i -e <expression> <file>

then the "e" is used as backup character. Right? That's a pretty stupid
bug... :)

Thomas



More information about the Openstack-devel mailing list