On Sat, Apr 12, 2008 at 06:26:34PM +0300, Niko Tyni wrote: > Package: request-tracker3.6 > Version: 3.6.6-2 > Severity: normal > > The initial password for the RT superuser 'root' (separate from the > local root account, of course) is currently set to 'password' on new > installs. > > As the database is now created automatically since 3.6.6-2, this would be > a gaping security hole if the system was reachable on the web after the > default install. As things are, the web server must first be configured > manually, so things are not quite that bad. > > The right thing to do would be to prompt for the initial password via > debconf. This requires changes to rt-setup-database, and I'm not sure > yet if I'll implement this for Lenny, but I'm filing this as a reminder > in any case.
We could do this quite simply with a script to manually set the password after rt-setup-database would run, without having to patch rt-setup-database, but it would make most sense to put the functionality in rt-setup-database, because: a) the database connection logic is already there b) we can avoid a potential attack window where the password is set to a known value. We would patch initialdata to remove the default password on the root account, and patch rt-setup-database to separately set the password on the root account (perhaps within action_insert, perhaps with a separate action). It should be possible to use standard RT API methods (ie RT::User->SetPassword) to do this. One complication here is finding a secure channel for communication between the postinst and rt-setup-database. We could make rt-setup-database prompt for the password and then use expect or similar, but this is hacky. We could use a command line option or environment variable, but these are not necessarily secure. We could use a temporary file containing a password, which would be okay, or we could use a direct call to debconf via perl APIs. The latter would be the most elegant but would make the patch completely Debian-specific, whereas a separate file-based approach would make it suitable for inclusion upstream. Being able to set a safe password should benefit non-Debian users, so we should aim to do this. Another approach, which I considered and rejected is to take a copy of the initialdata in $TMPDIR and substitute the user input password there, and then pass the new initialdata file to rt-setup-database via --datafile. This would have avoided having to modify rt-setupdatabase. The problem here is that --datafile is not suitable for use in the 'init' stage, because it would try and use the same file for the schema and ACLs. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org