Date: Wed, 16 Apr 2014 03:13:20 GMT From: Dewayne <dewayne@heuristicsystems.com.au> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/188679: security/cfengine hard-coded passwords in 3.5.3 Message-ID: <201404160313.s3G3DKEn042639@cgiserv.freebsd.org> Resent-Message-ID: <201404160320.s3G3K0ko047677@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 188679
>Category: ports
>Synopsis: security/cfengine hard-coded passwords in 3.5.3
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Wed Apr 16 03:20:00 UTC 2014
>Closed-Date:
>Last-Modified:
>Originator: Dewayne
>Release: FreeBSD 9.2S
>Organization:
>Environment:
>Description:
I haven't had time to analyse whether or not this is a significant issue; nor do I wish to suggest some nefarious tracking mechanism. However in the interests of openness, I'd like to share a mechanism to replace hard-coded passwords that were found in the cfengine35 port.
>How-To-Repeat:
>Fix:
Either insert the variables into the Makefile, for example
CFE_PASSWD_PRIV='privsecret'
CFE_PASSWD_PUB='\"pubsecret\"'
or pass them via the command line.
------------
post-patch:
# You will need to prepend each line with a tab
@${REINPLACE_CMD} -e '/\*passphrase/s/Cfengine passphrase/${CFE_PASSWD_PRIV}/' \
-e '/\*passphrase/s/\"public\"/${CFE_PASSWD_PUB}/' \
${WRKSRC}/cf-key/cf-key.c ${WRKSRC}/libpromises/crypto.c \
${WRKSRC}/cf-key/cf-key-functions.c
------------
Ideally this should be an option, but that requires greater famility with the ports system.
The source file location of the passwords has changed with some cfengine revisions, and no doubt will again.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404160313.s3G3DKEn042639>