Save password to temporary file instead of passing to subprocess in adduser

This prevents an attacker from monitoring the running processes and capturing passwords
2023-05-29 00:03:38 +00:00 · 2023-05-29 00:03:38 +00:00 · 97e60b232d
commit 97e60b232d
parent 57813cba9e
1 changed files with 4 additions and 1 deletions
--- a/5
+++ b/5
@ -21,7 +21,10 @@ def adduser(username, firstname, lastname, email, password):
    else:
        fullname = f'{firstname} {lastname}'

-    hashed_password = check_output(['openssl', 'passwd', '-6', password]).decode('utf-8')[:-1]
+    with open('password', 'w') as f:
+        f.write(password)
+    hashed_password = check_output(['openssl', 'passwd', '-6', '-in', 'password']).decode('utf-8')[:-1]
+    remove('password')

    # Construct LDIF
    ldif = f'''dn: uid={username},ou=People,dc=exozy,dc=me