|
 |
35e59b |
From 5764a80e5edd7fa38323146261c6b4e498d282dd Mon Sep 17 00:00:00 2001
|
|
|
35e59b |
From: "Endi S. Dewata" <edewata@redhat.com>
|
|
|
35e59b |
Date: Mon, 17 May 2021 18:17:26 -0500
|
|
|
35e59b |
Subject: [PATCH] Use password file when creating admin user
|
|
|
35e59b |
|
|
|
35e59b |
The pki-server <subsystem>-user-add has been updated to
|
|
|
35e59b |
provide a --password-file option. The deployment tool
|
|
|
35e59b |
has been modified to use this option when creating the
|
|
|
35e59b |
admin user to avoid the password from getting logged in
|
|
|
35e59b |
the debug mode.
|
|
|
35e59b |
|
|
|
35e59b |
Resolves: CVE-2021-3551
|
|
|
35e59b |
---
|
|
|
35e59b |
base/server/python/pki/server/cli/user.py | 9 ++-
|
|
|
35e59b |
.../python/pki/server/deployment/__init__.py | 5 +-
|
|
|
35e59b |
base/server/python/pki/server/subsystem.py | 74 +++++++++++--------
|
|
|
35e59b |
.../server/cli/SubsystemUserAddCLI.java | 11 +++
|
|
|
35e59b |
4 files changed, 66 insertions(+), 33 deletions(-)
|
|
|
35e59b |
|
|
|
35e59b |
diff --git a/base/server/python/pki/server/cli/user.py b/base/server/python/pki/server/cli/user.py
|
|
|
35e59b |
index c00a1acb50..c5c8d52956 100644
|
|
|
35e59b |
--- a/base/server/python/pki/server/cli/user.py
|
|
|
35e59b |
+++ b/base/server/python/pki/server/cli/user.py
|
|
|
35e59b |
@@ -47,6 +47,7 @@ class UserAddCLI(pki.cli.CLI):
|
|
|
35e59b |
print(' --full-name <full name> Full name')
|
|
|
35e59b |
print(' --email <email> Email')
|
|
|
35e59b |
print(' --password <password> Password')
|
|
|
35e59b |
+ print(' --password-file <path> Password file')
|
|
|
35e59b |
print(' --phone <phone> Phone')
|
|
|
35e59b |
print(' --type <type> Type')
|
|
|
35e59b |
print(' --state <state> State')
|
|
|
35e59b |
@@ -59,7 +60,8 @@ class UserAddCLI(pki.cli.CLI):
|
|
|
35e59b |
def execute(self, argv):
|
|
|
35e59b |
try:
|
|
|
35e59b |
opts, args = getopt.gnu_getopt(argv, 'i:v', [
|
|
|
35e59b |
- 'instance=', 'full-name=', 'email=', 'password=',
|
|
|
35e59b |
+ 'instance=', 'full-name=', 'email=',
|
|
|
35e59b |
+ 'password=', 'password-file=',
|
|
|
35e59b |
'phone=', 'type=', 'state=', 'tps-profiles=',
|
|
|
35e59b |
'verbose', 'debug', 'help'])
|
|
|
35e59b |
|
|
|
35e59b |
@@ -73,6 +75,7 @@ class UserAddCLI(pki.cli.CLI):
|
|
|
35e59b |
full_name = None
|
|
|
35e59b |
email = None
|
|
|
35e59b |
password = None
|
|
|
35e59b |
+ password_file = None
|
|
|
35e59b |
phone = None
|
|
|
35e59b |
user_type = None
|
|
|
35e59b |
state = None
|
|
|
35e59b |
@@ -91,6 +94,9 @@ class UserAddCLI(pki.cli.CLI):
|
|
|
35e59b |
elif o == '--password':
|
|
|
35e59b |
password = a
|
|
|
35e59b |
|
|
|
35e59b |
+ elif o == '--password-file':
|
|
|
35e59b |
+ password_file = a
|
|
|
35e59b |
+
|
|
|
35e59b |
elif o == '--phone':
|
|
|
35e59b |
phone = a
|
|
|
35e59b |
|
|
|
35e59b |
@@ -149,6 +155,7 @@ class UserAddCLI(pki.cli.CLI):
|
|
|
35e59b |
full_name=full_name,
|
|
|
35e59b |
email=email,
|
|
|
35e59b |
password=password,
|
|
|
35e59b |
+ password_file=password_file,
|
|
|
35e59b |
phone=phone,
|
|
|
35e59b |
user_type=user_type,
|
|
|
35e59b |
tps_profiles=tps_profiles,
|
|
|
35e59b |
diff --git a/base/server/python/pki/server/deployment/__init__.py b/base/server/python/pki/server/deployment/__init__.py
|
|
|
35e59b |
index 347ab1acdd..6d5f083b47 100644
|
|
|
35e59b |
--- a/base/server/python/pki/server/deployment/__init__.py
|
|
|
35e59b |
+++ b/base/server/python/pki/server/deployment/__init__.py
|
|
|
35e59b |
@@ -373,6 +373,8 @@ class PKIDeployer:
|
|
|
35e59b |
|
|
|
35e59b |
response = client.setupAdmin(request)
|
|
|
35e59b |
|
|
|
35e59b |
+ # Run the command as current user such that
|
|
|
35e59b |
+ # it can read the temporary password file.
|
|
|
35e59b |
subsystem.add_user(
|
|
|
35e59b |
uid,
|
|
|
35e59b |
full_name=full_name,
|
|
|
35e59b |
@@ -380,7 +382,8 @@ class PKIDeployer:
|
|
|
35e59b |
password=password,
|
|
|
35e59b |
user_type='adminType',
|
|
|
35e59b |
state='1',
|
|
|
35e59b |
- tps_profiles=tps_profiles)
|
|
|
35e59b |
+ tps_profiles=tps_profiles,
|
|
|
35e59b |
+ as_current_user=True)
|
|
|
35e59b |
|
|
|
35e59b |
admin_groups = subsystem.config['preop.admin.group']
|
|
|
35e59b |
groups = [x.strip() for x in admin_groups.split(',')]
|
|
|
35e59b |
diff --git a/base/server/python/pki/server/subsystem.py b/base/server/python/pki/server/subsystem.py
|
|
|
35e59b |
index a3ed0c7f3a..41d8d67c2e 100644
|
|
|
35e59b |
--- a/base/server/python/pki/server/subsystem.py
|
|
|
35e59b |
+++ b/base/server/python/pki/server/subsystem.py
|
|
|
35e59b |
@@ -1335,54 +1335,66 @@ class PKISubsystem(object):
|
|
|
35e59b |
full_name=None,
|
|
|
35e59b |
email=None,
|
|
|
35e59b |
password=None,
|
|
|
35e59b |
+ password_file=None,
|
|
|
35e59b |
phone=None,
|
|
|
35e59b |
user_type=None,
|
|
|
35e59b |
state=None,
|
|
|
35e59b |
tps_profiles=None,
|
|
|
35e59b |
as_current_user=False):
|
|
|
35e59b |
|
|
|
35e59b |
- cmd = [self.name + '-user-add']
|
|
|
35e59b |
+ tmpdir = tempfile.mkdtemp()
|
|
|
35e59b |
|
|
|
35e59b |
- if full_name:
|
|
|
35e59b |
- cmd.append('--full-name')
|
|
|
35e59b |
- cmd.append(full_name)
|
|
|
35e59b |
+ try:
|
|
|
35e59b |
+ if password and not password_file:
|
|
|
35e59b |
+ password_file = os.path.join(tmpdir, 'password.txt')
|
|
|
35e59b |
+ with open(password_file, 'w') as f:
|
|
|
35e59b |
+ f.write(password)
|
|
|
35e59b |
|
|
|
35e59b |
- if email:
|
|
|
35e59b |
- cmd.append('--email')
|
|
|
35e59b |
- cmd.append(email)
|
|
|
35e59b |
+ cmd = [self.name + '-user-add']
|
|
|
35e59b |
|
|
|
35e59b |
- if password:
|
|
|
35e59b |
- cmd.append('--password')
|
|
|
35e59b |
- cmd.append(password)
|
|
|
35e59b |
+ if full_name:
|
|
|
35e59b |
+ cmd.append('--full-name')
|
|
|
35e59b |
+ cmd.append(full_name)
|
|
|
35e59b |
|
|
|
35e59b |
- if phone:
|
|
|
35e59b |
- cmd.append('--phone')
|
|
|
35e59b |
- cmd.append(phone)
|
|
|
35e59b |
+ if email:
|
|
|
35e59b |
+ cmd.append('--email')
|
|
|
35e59b |
+ cmd.append(email)
|
|
|
35e59b |
|
|
|
35e59b |
- if user_type:
|
|
|
35e59b |
- cmd.append('--type')
|
|
|
35e59b |
- cmd.append(user_type)
|
|
|
35e59b |
+ if password_file:
|
|
|
35e59b |
+ cmd.append('--password-file')
|
|
|
35e59b |
+ cmd.append(password_file)
|
|
|
35e59b |
|
|
|
35e59b |
- if state:
|
|
|
35e59b |
- cmd.append('--state')
|
|
|
35e59b |
- cmd.append(state)
|
|
|
35e59b |
+ if phone:
|
|
|
35e59b |
+ cmd.append('--phone')
|
|
|
35e59b |
+ cmd.append(phone)
|
|
|
35e59b |
|
|
|
35e59b |
- if tps_profiles:
|
|
|
35e59b |
- cmd.append('--tps-profiles')
|
|
|
35e59b |
- cmd.append(','.join(tps_profiles))
|
|
|
35e59b |
+ if user_type:
|
|
|
35e59b |
+ cmd.append('--type')
|
|
|
35e59b |
+ cmd.append(user_type)
|
|
|
35e59b |
|
|
|
35e59b |
- if logger.isEnabledFor(logging.DEBUG):
|
|
|
35e59b |
- cmd.append('--debug')
|
|
|
35e59b |
+ if state:
|
|
|
35e59b |
+ cmd.append('--state')
|
|
|
35e59b |
+ cmd.append(state)
|
|
|
35e59b |
|
|
|
35e59b |
- elif logger.isEnabledFor(logging.INFO):
|
|
|
35e59b |
- cmd.append('--verbose')
|
|
|
35e59b |
+ if tps_profiles:
|
|
|
35e59b |
+ cmd.append('--tps-profiles')
|
|
|
35e59b |
+ cmd.append(','.join(tps_profiles))
|
|
|
35e59b |
|
|
|
35e59b |
- cmd.append(user_id)
|
|
|
35e59b |
+ if logger.isEnabledFor(logging.DEBUG):
|
|
|
35e59b |
+ cmd.append('--debug')
|
|
|
35e59b |
|
|
|
35e59b |
- self.run(
|
|
|
35e59b |
- cmd,
|
|
|
35e59b |
- as_current_user=as_current_user,
|
|
|
35e59b |
- capture_output=True)
|
|
|
35e59b |
+ elif logger.isEnabledFor(logging.INFO):
|
|
|
35e59b |
+ cmd.append('--verbose')
|
|
|
35e59b |
+
|
|
|
35e59b |
+ cmd.append(user_id)
|
|
|
35e59b |
+
|
|
|
35e59b |
+ self.run(
|
|
|
35e59b |
+ cmd,
|
|
|
35e59b |
+ as_current_user=as_current_user,
|
|
|
35e59b |
+ capture_output=True)
|
|
|
35e59b |
+
|
|
|
35e59b |
+ finally:
|
|
|
35e59b |
+ shutil.rmtree(tmpdir)
|
|
|
35e59b |
|
|
|
35e59b |
def modify_user(self, user_id, add_see_also=None, del_see_also=None,
|
|
|
35e59b |
as_current_user=False):
|
|
|
35e59b |
diff --git a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
|
|
35e59b |
index 5a385c359f..04d68de758 100644
|
|
|
35e59b |
--- a/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
|
|
35e59b |
+++ b/base/server/src/org/dogtagpki/server/cli/SubsystemUserAddCLI.java
|
|
|
35e59b |
@@ -6,6 +6,8 @@
|
|
|
35e59b |
package org.dogtagpki.server.cli;
|
|
|
35e59b |
|
|
|
35e59b |
import java.io.File;
|
|
|
35e59b |
+import java.nio.file.Files;
|
|
|
35e59b |
+import java.nio.file.Paths;
|
|
|
35e59b |
import java.util.Arrays;
|
|
|
35e59b |
import java.util.List;
|
|
|
35e59b |
|
|
|
35e59b |
@@ -60,6 +62,10 @@ public class SubsystemUserAddCLI extends CommandCLI {
|
|
|
35e59b |
option.setArgName("password");
|
|
|
35e59b |
options.addOption(option);
|
|
|
35e59b |
|
|
|
35e59b |
+ option = new Option(null, "password-file", true, "Password file");
|
|
|
35e59b |
+ option.setArgName("path");
|
|
|
35e59b |
+ options.addOption(option);
|
|
|
35e59b |
+
|
|
|
35e59b |
option = new Option(null, "phone", true, "Phone");
|
|
|
35e59b |
option.setArgName("phone");
|
|
|
35e59b |
options.addOption(option);
|
|
|
35e59b |
@@ -95,11 +101,16 @@ public class SubsystemUserAddCLI extends CommandCLI {
|
|
|
35e59b |
|
|
|
35e59b |
String email = cmd.getOptionValue("email");
|
|
|
35e59b |
String password = cmd.getOptionValue("password");
|
|
|
35e59b |
+ String passwordFile = cmd.getOptionValue("password-file");
|
|
|
35e59b |
String phone = cmd.getOptionValue("phone");
|
|
|
35e59b |
String type = cmd.getOptionValue("type");
|
|
|
35e59b |
String state = cmd.getOptionValue("state");
|
|
|
35e59b |
String tpsProfiles = cmd.getOptionValue("tps-profiles");
|
|
|
35e59b |
|
|
|
35e59b |
+ if (passwordFile != null) {
|
|
|
35e59b |
+ password = new String(Files.readAllBytes(Paths.get(passwordFile)), "UTF-8").trim();
|
|
|
35e59b |
+ }
|
|
|
35e59b |
+
|
|
|
35e59b |
String catalinaBase = System.getProperty("catalina.base");
|
|
|
35e59b |
|
|
|
35e59b |
TomcatJSS tomcatjss = TomcatJSS.getInstance();
|
|
|
35e59b |
--
|
|
|
35e59b |
2.30.2
|
|
|
35e59b |
|