#2110 Do not display password on xCAT commands

2.7.2
closed
Jing Sun
General (881)
5
2012-10-18
2011-07-12
No

I suggest all commands in xCAT which display database information ( e.g lsdef) should not display the passwords from the passwd table or any other table that holds a password. The field should exist but be xxxxxxx out. We may give authority to a non-root use to use lsdef. To see the password only root using one of the change functions or tabedit , There may be some command like tabdump that must allow the value.

Discussion

  • Guang Cheng Li

    Guang Cheng Li - 2011-07-13

    Lissa, as we discussed in yesterday interlock meeting, we will need design work for the encrypted passwords in xCAT tables, I added a wishlist item for xCAT 2.7 for this item. Closing this bug out, we can not use this bug to do all the passwords related changes.

     
  • Lissa Valletta

    Lissa Valletta - 2011-07-14

    I actually think this is a bug. I would like to not display the password on our commands and do not relate it to password encryption at all. Currently lsdef displays passwords and it should not. I think password encryption is a development line item. This is a current bug and potential security hole in our code. We would not display the password even if it was encrypted.

     
  • Guang Cheng Li

    Guang Cheng Li - 2012-02-17

    I do not think we could fix this bug in 2.7. Moving out to 2.7.1.

     
  • Jing Sun

    Jing Sun - 2012-04-05

    I did an experiment for policy table. and wanted to deny the non-root user(loadl) from "lstree -H" command.

    According to http://sourceforge.net/apps/mediawiki/xcat/index.php?title=Granting_Users_xCAT_privileges, I ran "/opt/xcat/share/xcat/scripts/setup-local-client.sh loadl", and add a new entry in the policy table:
    "6","loadl",,"lstree",,"-H",,"deny",,

    but seems it does not work, the other flag, such as -s also denied.
    [root@935n03 ~]# su - loadl
    [loadl@935n03 ~]$
    [loadl@935n03 ~]$ lstree -H
    Error: Permission denied for request
    [loadl@935n03 ~]$
    [loadl@935n03 ~]$ lstree -s
    Error: Permission denied for request
    [loadl@935n03 ~]$

    Did I miss any configuration?

     
  • Jing Sun

    Jing Sun - 2012-04-11

    will checkin codes to 2.7.2.

     
  • Jing Sun

    Jing Sun - 2012-04-24

    In xcat 2.7.2, we address the changes below:
    1. ensure the passwords will not be displayed in verbose mode or logs. Completed in:
    2.8 trunk:
    aixinstall.pm revision 12307
    lsslp.pm revision 12309
    FSPUtils.pm revision 12311
    PPCenergy.pm revision 12313
    PPCfsp.pm(checked with Ertao, no secure needed, the passwords for dev/celogin1 need to be present to the user)
    webportal.pm(checked with XuQing, no secure needed, the passwords for VM need to be present to the user)

    db2sqlsetup revision 12315
    mysqlsetup revision 12317
    pgsqlsetup revision 12319
    runsqlcmd revision 12321

    2.7 branch:
    aixinstall.pm revision 12308
    lsslp.pm revision 12310
    FSPUtils.pm revision 12312
    PPCenergy.pm revision 12314
    PPCfsp.pm(checked with Ertao, no secure needed, the passwords for dev/celogin1 need to be present to the user)
    webportal.pm(checked with XuQing, no secure needed, the passwords for VM need to be present to the user)

    db2sqlsetup revision 12316
    mysqlsetup revision 12318
    pgsqlsetup revision 12320
    runsqlcmd revision 12322

    1. only allow root to run command in XCATBYPASS mode. Completed in:
      2.8 trunk:
      Client.pm revision 12323

    2.7 branch:
    Client.pm revision 12324

     
  • Lissa Valletta

    Lissa Valletta - 2012-10-18
    • status: pending --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks