You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ambari.apache.org by "Robert Levas (JIRA)" <ji...@apache.org> on 2016/06/10 18:22:21 UTC
[jira] [Updated] (AMBARI-17172) Kadmin operations can leak the
admin password in ps output
[ https://issues.apache.org/jira/browse/AMBARI-17172?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Levas updated AMBARI-17172:
----------------------------------
Status: Patch Available (was: In Progress)
> Kadmin operations can leak the admin password in ps output
> ----------------------------------------------------------
>
> Key: AMBARI-17172
> URL: https://issues.apache.org/jira/browse/AMBARI-17172
> Project: Ambari
> Issue Type: Bug
> Components: ambari-server
> Affects Versions: 2.0.0
> Reporter: Robert Levas
> Assignee: Robert Levas
> Priority: Critical
> Labels: kerberos
> Fix For: 2.4.0
>
> Attachments: AMBARI-17172_branch-2.4_01.patch, AMBARI-17172_trunk_01.patch
>
>
> add_principal operations pass the password in the command line, so users on the system can run {{ps aux | grep kadmin}} and be able to see the admin users password in ps output. This can turn into a security issue that would allow non privileged users to obtain this password and use it to escalate their privileges.
> We need to find a way to prevent passing this password as a CLI option.
> *Solution*
> Pass the admin and user passwords to {{kadmin}} via the process's STDIN channel rather than the via the command line.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)