IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

py3: change_admin_password: use textual mode

Browse Source 
Convert function to NamedTemporaryFile with textual mode, because
passwords are text. Using `with` and NamedTemporaryFile gives more
security agains leaking password from tempfiles.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This commit is contained in:
Martin Basti
2017-01-31 20:27:11 +01:00
committed by Jan Cholasta
parent 488d01ced7
commit 69072cb80f
1 changed files with 8 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
ipaserver/install/dsinstance.py
View File

@@ -951,21 +951,19 @@ class DsInstance(service.Service):
def change_admin_password(self, password): def change_admin_password(self, password):
root_logger.debug("Changing admin password") root_logger.debug("Changing admin password")
dmpwdfile = ""
admpwdfile = ""
try: dir_ipa = paths.VAR_LIB_IPA
(dmpwdfd, dmpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA) with tempfile.NamedTemporaryFile("w", dir=dir_ipa) as dmpwdfile, \
os.write(dmpwdfd, self.dm_password) tempfile.NamedTemporaryFile("w", dir=dir_ipa) as admpwdfile:
os.close(dmpwdfd) dmpwdfile.write(self.dm_password)
dmpwdfile.flush()
(admpwdfd, admpwdfile) = tempfile.mkstemp(dir=paths.VAR_LIB_IPA) admpwdfile.write(password)
os.write(admpwdfd, password) admpwdfile.flush()
os.close(admpwdfd)
args = [paths.LDAPPASSWD, "-h", self.fqdn, args = [paths.LDAPPASSWD, "-h", self.fqdn,
"-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))), "-ZZ", "-x", "-D", str(DN(('cn', 'Directory Manager'))),
"-y", dmpwdfile, "-T", admpwdfile, "-y", dmpwdfile.name, "-T", admpwdfile.name,
str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))] str(DN(('uid', 'admin'), ('cn', 'users'), ('cn', 'accounts'), self.suffix))]
try: try:
env = {'LDAPTLS_CACERTDIR': os.path.dirname(paths.IPA_CA_CRT), env = {'LDAPTLS_CACERTDIR': os.path.dirname(paths.IPA_CA_CRT),
@@ -976,12 +974,6 @@ class DsInstance(service.Service):
print("Unable to set admin password", e) print("Unable to set admin password", e)
root_logger.debug("Unable to set admin password %s" % e) root_logger.debug("Unable to set admin password %s" % e)
finally:
if os.path.isfile(dmpwdfile):
os.remove(dmpwdfile)
if os.path.isfile(admpwdfile):
os.remove(admpwdfile)
def uninstall(self): def uninstall(self):
if self.is_configured(): if self.is_configured():
self.print_msg("Unconfiguring directory server") self.print_msg("Unconfiguring directory server")