Roundup Tracker - Issues

Issue 2550789

classification
Title: No secure way to automatically initialize a new tracker
Type: security Severity: urgent
Components: Command-line interface Versions: devel
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: rouilj Nosy List: ThomasAH, ber, coderanger, rouilj
Priority: Keywords: Effort-Low

Created on 2013-01-21 01:30 by coderanger, last changed 2013-06-09 02:28 by rouilj.

Messages
msg4762 Author: [hidden] (coderanger) Date: 2013-01-21 01:30
The only non-interactive way to run initialize and set the admin password is to provide it on the 
command line. This is visible to all users of the system and represents a pretty severe leakage 
problem. Passing a password on the command line should not be an option at all, in favor of a 
file containing the password, preferably set to 0600 to ensure security.
msg4763 Author: [hidden] (rouilj) Date: 2013-01-21 01:52
Well there is a workaround using expect or pexpect or similar perl
module but I agree this should be a feature of the core code.

This should be relatively easy. A patch to roundup/admin.py in the
do_initialize function should make this work. I suggest using:

  initialize -f filename

for this case and checking for args > 1 and args[1] cto be -f
then opening the filename and reading the first line for the 
password. The code change needs to occur near:

         # password
        if len(args) > 1:
            adminpw = args[1]
        else:

It should keep it backwards compatible when used with a
single password argument. (Also is the code above a bug?
initialise shouldn't allow > 1 argument currently as the
additional args are ignored.)
msg4764 Author: [hidden] (coderanger) Date: 2013-01-21 03:09
While backwards compat is admirable, this should be on as fast a deprecation timeline as you 
can do. Beyond just showing up in ps, passwords on the command line also then show up in 
shell history files, probably in sudo logs, etc. Providing this an an option is, in the end, a 
disservice to users that might not know better.
msg4765 Author: [hidden] (rouilj) Date: 2013-01-21 03:30
Actually I just realized that a file with the contents:

  initialise password

piped into roundup-admin does the trick as roundup-admin
can accept scripts from stdin. This file can easily
be mode 600.

So simply 'cat command_script | roundup-admin -i tracker'
should work. Can you check and see if this works?

-- rouilj
msg4814 Author: [hidden] (rouilj) Date: 2013-03-07 02:35
Noah:

Were you able to find out if catting the information into 
roundup-admin worked for you?

-- rouilj
msg4815 Author: [hidden] (coderanger) Date: 2013-03-07 02:38
Yes, that does work. I would still recommend making this more explicit in the documentation for 
the initialization though. Thanks for your help!
msg4902 Author: [hidden] (rouilj) Date: 2013-06-09 02:28
I added the file example to user_guide.txt and place a note to see the
user_guide in the part of installation.txt that shows how to use the
initialise command.

Checked in for the next release of roundup.

I think this is sufficient to handle the problem without changing the
code.
History
Date User Action Args
2013-06-09 02:28:45rouiljsetresolution: fixed
2013-06-09 02:28:32rouiljsetstatus: new -> closed
assignee: rouilj
messages: + msg4902
2013-03-07 02:38:50coderangersetmessages: + msg4815
2013-03-07 02:35:36rouiljsetmessages: + msg4814
2013-01-24 08:53:27ThomasAHsetnosy: + ThomasAH
2013-01-21 09:40:18bersetnosy: + ber
2013-01-21 03:30:34rouiljsetmessages: + msg4765
2013-01-21 03:09:39coderangersetmessages: + msg4764
2013-01-21 01:52:01rouiljsetkeywords: + Effort-Low
nosy: + rouilj
messages: + msg4763
2013-01-21 01:30:34coderangercreate