From f66983313f7a016aae20ff824a95a45adad85768 Mon Sep 17 00:00:00 2001 From: Anthony Wang Date: Wed, 14 Jun 2023 18:56:53 +0000 Subject: [PATCH] Pass LDAP password filename instead of password itself in *user scripts This ensures the LDAP password doesn't show up in process table. I was an idiot when I wrote the original code. --- adduser | 3 +-- deluser | 2 +- moduser | 3 +-- 3 files changed, 3 insertions(+), 5 deletions(-) diff --git a/adduser b/adduser index 492e722..28337a1 100755 --- a/adduser +++ b/adduser @@ -58,8 +58,7 @@ gidNumber: {uid}''' f.write(ldif) # Add user - ret = call(['ldapadd', '-D', 'cn=Manager,dc=exozy,dc=me', '-w', - open('/etc/ldappass', 'r').read(), '-f', filename]) + ret = call(['ldapadd', '-D', 'cn=Manager,dc=exozy,dc=me', '-y', '/etc/ldappass', '-f', filename]) if ret != 0: return remove(filename) diff --git a/deluser b/deluser index 5bdf120..aa4775a 100755 --- a/deluser +++ b/deluser @@ -10,7 +10,7 @@ def deluser(username): """Delete a user""" # Delete from LDAP server - run(['ldapdelete', '-w', open('/etc/ldappass', 'r').read(), '-D', 'cn=Manager,dc=exozy,dc=me', + run(['ldapdelete', '-y', '/etc/ldappass', '-D', 'cn=Manager,dc=exozy,dc=me', 'uid=' + username + ',ou=People,dc=exozy,dc=me', 'cn=' + username + ',ou=Group,dc=exozy,dc=me']) # Cleanup diff --git a/moduser b/moduser index a2bc1bd..bf87df0 100755 --- a/moduser +++ b/moduser @@ -15,8 +15,7 @@ def moduser(username): environ['EDITOR'] = 'micro' if username == 'Manager': - run(['ldapvi', '-w', open('/etc/ldappass', 'r').read(), - '--user', 'cn=Manager,dc=exozy,dc=me']) + run(['ldapvi', '-y', '/etc/ldappass', '--user', 'cn=Manager,dc=exozy,dc=me']) else: dn = 'uid=' + username + ',ou=People,dc=exozy,dc=me' run(['ldapvi', '--user', dn, '--base', dn])