On 8/27/21 11:32 AM, Martin Pitt wrote:
Hello Mark,
I'm afraid I have no further idea about the original bug -- at this point I'd
need to try this code and reproduce. But..
Mark Reynolds [2021-08-26 8:54 -0400]:
let cmd = [
"/bin/sh",
"-c",
'/usr/bin/echo -e "' +
setup_inf + '" >> ' + setup_file
];
// Do not log inf file as it
contains the DM password
This is a security issue, BTW -- The default umask is 022, thus this file will
still be world-readable on most systems.
Actually the file was already created higher up in the code, and the
permissions were changed prior to appending (>>) to the setup file.
Then the file is removed immediately after install (pass or fail).
/*
* Next, create the
instance...
*/
let cmd =
["dscreate", "-j", "from-file", setup_file];
Can dscreate read from stdin by any chance?
Actually I think it can...
In the worst case, by specifying
/dev/stdin as a file? Then you could use .input() to feed it the data,
something like
let dscreate = cockpit.spawn(...);
dscreate.input(setup_inf);
dscreate
.then(() => console.log("success"))
.catch(err => console.error(JSON.stringify(err));
This is much simpler (one spawn instead of three, safer (no writing of the
password to the file system on disk), and most probably also avoids this weird
error.
We will definitely consider this for the next phase of the UI.
Thanks,
Mark
[1]
https://cockpit-project.org/guide/latest/cockpit-spawn.html#cockpit-spawn-input
One thing I am on F34 not F33, not sure if that makes a difference or not.
And I am on Cockpit 250...
Same here.
Pitti
--
Directory Server Development Team
_______________________________________________
cockpit-devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
