Bug 3356 - No way to set LDAP bind passwd without having it visible on the command line
No way to set LDAP bind passwd without having it visible on the command line
Status: RESOLVED FIXED
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools
3.0.9
All Linux
: P3 normal
: none
Assigned To: Samba Bugzilla Account
Samba QA Contact
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2005-12-24 10:24 UTC by W. Michael Petullo
Modified: 2006-01-11 05:09 UTC (History)
0 users

See Also:


Attachments
add -W option to smbpasswd for interacive or -s enhanced entry of LDAP rootdn passwd (1.39 KB, patch)
2006-01-11 04:48 UTC, William Jojo
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description W. Michael Petullo 2005-12-24 10:24:43 UTC
To set the LDAP bind passwd for samba (in secrets.tdb) you must use "smbpasswd
-w passwd"

It would be nice if smbpasswd would prompt for the password if it wasn't
supplied on the command line

Rationale is that for the brief time that smbpasswd is running, the password is
visible to everyone via /prov/$pid/cmdline, which isn't ideal.

This is a security issue.  The smbpasswd program should support reading the 
admin password from a prompt, and also support the -s option (read from stdin.)
Comment 1 William Jojo 2006-01-11 04:48:52 UTC
Created attachment 1663 [details]
add -W option to smbpasswd for interacive or -s enhanced entry of LDAP rootdn passwd

The smbpasswd command uses -w (like the ldap* commands) for specifying the rootdn password. Since this requires an argument, I propose introducing -W with no arg to allow for interactive input or stdin (-s) to address the security concerns raised here.
Comment 2 Volker Lendecke 2006-01-11 05:09:02 UTC
Applied with 12840, thanks.

Volker