* password setting via install hook is a security issue
@ 2019-02-06 12:34 Henning Schild
0 siblings, 0 replies; only message in thread
From: Henning Schild @ 2019-02-06 12:34 UTC (permalink / raw)
To: isar-users
Hi,
just discussed the whole password setting story with Claudius. We
discussed whether the password setting package should be a transient
package.
So one that gets installed last and gets removed again. These packages
should not have any content and just carry scriptlets to replace the
distro configure-scripts, making these layer-able.
Turns out that dpkg keeps all post/pre-inst/rm scripts for currently
installed packages. And it does so in a world-readable form. So if your
target has multiple users even unprivileged users can find the rootpw
with a simple "grep chpass /var/lib/dpkg/info/*".
That is why Claudius will turn his passwd setting package into a
transient one. In addition we will need a changelog entry telling all
users to drop the "chpasswd" in "postinst" pattern for
regular/non-transient packages.
Henning
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-02-06 12:34 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-06 12:34 password setting via install hook is a security issue Henning Schild
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox