From mboxrd@z Thu Jan 1 00:00:00 1970 X-GM-THRID: 6654864813363036160 X-Received: by 2002:a1c:8083:: with SMTP id b125mr291597wmd.11.1549456457567; Wed, 06 Feb 2019 04:34:17 -0800 (PST) X-BeenThere: isar-users@googlegroups.com Received: by 2002:a1c:1f41:: with SMTP id f62ls343735wmf.14.canary-gmail; Wed, 06 Feb 2019 04:34:17 -0800 (PST) X-Google-Smtp-Source: AHgI3IaQzgqP6XsH9FG+31nWmp3hdaBAGYJaDLuFOHlwq7S9T4DqDVdxibIBavkP8WiYcVE1sYVd X-Received: by 2002:a7b:c349:: with SMTP id l9mr294397wmj.18.1549456457183; Wed, 06 Feb 2019 04:34:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1549456457; cv=none; d=google.com; s=arc-20160816; b=qYGK43T/MKvv2K9qZvRyAYq1bDAwhD6qfEc3lrYle+N4PIprFrI/4vLabPjtTPMDXN TpFF673kSv6LmqgLbNsSdewsZXi8D+Re+szxS0qKiztSYdMjUgV90TzFZqzsXVPEIMZC rAUgX48FivFkrE626bOU8ASpc/RAtOmMvBIuu5s1QfawEggDuIJhP8ffJ0UYt/idmXEL xV8KD8mJfqHD5+sEXzSQCWdH4aM/ev6OVisXhyyIU0Z/KpZ1jNouyUIfxfX8Vlb6tOMt lRnhQ1AnTSq0K8sEynnaDWEp8ERQtjrXhVBTRWh+tDWDl+vicyizMXfT/Pkc6mI1Fv6D 6WTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:message-id:subject:to:from :date; bh=y97sbBiPrTXGVX4CeZkxNZzopFSqz+c5OftPVnUCqIk=; b=xT9MWXCqcDNQ9/2jOAAMeTlEs/Hc8OjvJhr+JTEt46YKpF3lpbx9i/HWHyTzj455ka x5nTkAn0I9cSud5ZRunU1kgvf+ke1qG2yUZ7r/kxsQu52DMrC588YATT6gR3piRsKXRn E7VGz5LTaNdfM/pUGQNyMg8qeG4sCOgMDXLgDAUg454iy3rdVVMQfxKQNII4FKFH1Uiw ibtrNKc44sAatpMEeymWEcsqVoRICTQ34b53W/ut+emODrG/9vA9U+bSU4s53IztTwWh 7qY2eQt3qFoIyG9kFDYRk7jeEi3u4HcNiRZ6vUm/jATfh7X7SO69bO3OmrWKcVQJqYPg xoMQ== ARC-Authentication-Results: i=1; gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Return-Path: Received: from lizzard.sbs.de (lizzard.sbs.de. [194.138.37.39]) by gmr-mx.google.com with ESMTPS id z207si751178wmc.2.2019.02.06.04.34.17 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Feb 2019 04:34:17 -0800 (PST) Received-SPF: pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) client-ip=194.138.37.39; Authentication-Results: gmr-mx.google.com; spf=pass (google.com: domain of henning.schild@siemens.com designates 194.138.37.39 as permitted sender) smtp.mailfrom=henning.schild@siemens.com Received: from mail1.sbs.de (mail1.sbs.de [192.129.41.35]) by lizzard.sbs.de (8.15.2/8.15.2) with ESMTPS id x16CYG4M025017 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK) for ; Wed, 6 Feb 2019 13:34:16 +0100 Received: from md1za8fc.ad001.siemens.net ([139.25.69.48]) by mail1.sbs.de (8.15.2/8.15.2) with ESMTP id x16CYGlp022290 for ; Wed, 6 Feb 2019 13:34:16 +0100 Date: Wed, 6 Feb 2019 13:34:15 +0100 From: Henning Schild To: Subject: password setting via install hook is a security issue Message-ID: <20190206133415.1fb1a5f4@md1za8fc.ad001.siemens.net> X-Mailer: Claws Mail 3.15.0-dirty (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-TUID: OE7WYTVPOu91 Hi, just discussed the whole password setting story with Claudius. We discussed whether the password setting package should be a transient package. So one that gets installed last and gets removed again. These packages should not have any content and just carry scriptlets to replace the distro configure-scripts, making these layer-able. Turns out that dpkg keeps all post/pre-inst/rm scripts for currently installed packages. And it does so in a world-readable form. So if your target has multiple users even unprivileged users can find the rootpw with a simple "grep chpass /var/lib/dpkg/info/*". That is why Claudius will turn his passwd setting package into a transient one. In addition we will need a changelog entry telling all users to drop the "chpasswd" in "postinst" pattern for regular/non-transient packages. Henning