Bug 3356 - No way to set LDAP bind passwd without having it visible on the command line
Summary: No way to set LDAP bind passwd without having it visible on the command line
Status: RESOLVED FIXED
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Client Tools (show other bugs)
Version: 3.0.9
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-24 10:24 UTC by W. Michael Petullo
Modified: 2006-01-11 05:09 UTC (History)
0 users

See Also:

Attachments
add -W option to smbpasswd for interacive or -s enhanced entry of LDAP rootdn passwd (1.39 KB, patch)
2006-01-11 04:48 UTC, William Jojo 		no flags Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description W. Michael Petullo 2005-12-24 10:24:43 UTC 
To set the LDAP bind passwd for samba (in secrets.tdb) you must use "smbpasswd
-w passwd"

It would be nice if smbpasswd would prompt for the password if it wasn't
supplied on the command line

Rationale is that for the brief time that smbpasswd is running, the password is
visible to everyone via /prov/$pid/cmdline, which isn't ideal.

This is a security issue.  The smbpasswd program should support reading the 
admin password from a prompt, and also support the -s option (read from stdin.)
Comment 1 William Jojo 2006-01-11 04:48:52 UTC 
Created attachment 1663 [details]
add -W option to smbpasswd for interacive or -s enhanced entry of LDAP rootdn passwd

The smbpasswd command uses -w (like the ldap* commands) for specifying the rootdn password. Since this requires an argument, I propose introducing -W with no arg to allow for interactive input or stdin (-s) to address the security concerns raised here.
Comment 2 Volker Lendecke 2006-01-11 05:09:02 UTC 
Applied with 12840, thanks.

Volker