|
command => "/bin/echo ${::pacemaker::hacluster_pwd} | /usr/bin/passwd --stdin hacluster", |
exec {"Set password for hacluster user on $cluster_name":
command => "/bin/echo ${::pacemaker::hacluster_pwd} | /usr/bin/passwd --stdin hacluster",
The value of ::pacemaker::hacluster_pwd is passed as command line argument to /bin/echo. This has 2 unintended consequences:
- the password may include special characters, such as $ ; ( , which will be interpreted.
- the password will be visible in process list, because echo is a shell builtin, but /bin/echo is not. This may disclose the password to local attacker depending on scenario.
Acknowledgement: this issue was found by Florian Weimer of Red Hat.
puppet-pacemaker/manifests/corosync.pp
Line 56 in 5d91343
The value of
::pacemaker::hacluster_pwdis passed as command line argument to /bin/echo. This has 2 unintended consequences:Acknowledgement: this issue was found by Florian Weimer of Red Hat.