Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1446137
Description of problem: pki_client_database_password is shown in ipaserver-install.log Version-Release number of selected component (if applicable): ipa-server-4.5.0-8.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install IPA-Server 2. Check ipaserver-install.log Actual results: pki_client_database_password is displayed in the install log 2017-04-27T10:12:50Z DEBUG Contents of pkispawn configuration file (/tmp/tmp1d8iQh): [CA] pki_security_domain_name = IPA pki_enable_proxy = True pki_restart_configured_instance = False pki_backup_keys = True pki_backup_password = XXXXXXXX pki_profiles_in_ldap = True pki_default_ocsp_uri = http://ipa-ca.testrelm.test/ca/ocsp pki_client_database_dir = /var/lib/ipa/tmp-bilHhu pki_client_database_password = 7Nk~a?+bv,IM!$qWWmh3mlWT{SRq}.dQJ}o%uqkcE <=== pki_client_database_purge = False pki_client_pkcs12_password = XXXXXXXX pki_admin_name = admin pki_admin_uid = admin pki_admin_email = root@localhost pki_admin_password = XXXXXXXX Expected results: We should not display the password in the install log Additional info:
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1446137
This is a backport request of 7fddc1d , original PR: https://github.com/freeipa/freeipa/pull/658
Metadata Update from @pvoborni: - Issue priority set to: critical
Can we please have some tests that verify we don't write any sensitive password to disk? Locations to check are /etc/ipa/ /etc/pki/ /etc/dirsrv/ /var/run/ipa/ /var/lib/ipa/ /var/lib/pki/ /var/log/ipa/ /var/log/ipa* /var/log/pki/ /tmp/
/etc/ipa/ /etc/pki/ /etc/dirsrv/ /var/run/ipa/ /var/lib/ipa/ /var/lib/pki/ /var/log/ipa/ /var/log/ipa* /var/log/pki/ /tmp/
Metadata Update from @cheimes: - Issue priority set to: None (was: critical)
Metadata Update from @akasurde: - Issue priority set to: critical
Metadata Update from @akasurde: - Issue assigned to akasurde
Metadata Update from @akasurde: - Assignee reset - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/740
ipa-4-5:
@cheimes for the missing tests please open a separate issue. I can imagine they can be part of each server/replica install in CI suite.
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.