leviathonbeast/lldap
1
0
Fork 0
mirror of https://github.com/lldap/lldap.git synced 2026-03-31 15:07:48 +01:00
Code Issues Packages Projects Releases Wiki Activity

bootstrap: do not leak password in process list

Browse Source
This commit is contained in:
ibizaman
2025-07-21 23:32:58 +02:00
committed by nitnelave
parent fa196a9fd9
commit 3c7e4c3dec
2 changed files with 14 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/bootstrap.sh
+2 -2
View File
@@ -707,9 +707,9 @@ main() {
redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')" redundant_users="$(printf '%s' "$redundant_users" | jq --compact-output --arg id "$id" '. - [$id]')"
if [[ "$password_file" != 'null' ]] && [[ "$password_file" != '""' ]]; then if [[ "$password_file" != 'null' ]] && [[ "$password_file" != '""' ]]; then
"$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$(cat $password_file)" LLDAP_USER_PASSWORD="$(cat $password_file)" "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id"
elif [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then elif [[ "$password" != 'null' ]] && [[ "$password" != '""' ]]; then
"$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id" --password "$password" LLDAP_USER_PASSWORD="$password" "$LLDAP_SET_PASSWORD_PATH" --base-url "$LLDAP_URL" --token "$TOKEN" --username "$id"
fi fi
# Process custom attributes # Process custom attributes
set-password/src/main.rs
+12 -4
View File
@@ -1,3 +1,5 @@
use std::env;
use anyhow::{Context, Result, bail, ensure}; use anyhow::{Context, Result, bail, ensure};
use clap::Parser; use clap::Parser;
use lldap_auth::{opaque, registration}; use lldap_auth::{opaque, registration};
@@ -27,9 +29,9 @@ pub struct CliOpts {
#[clap(short, long)] #[clap(short, long)]
pub username: String, pub username: String,
/// New password for the user. /// New password for the user. Can also be passed as the environment variable LLDAP_USER_PASSWORD.
#[clap(short, long)] #[clap(short, long)]
pub password: String, pub password: Option<String>,
/// Bypass password requirements such as minimum length. Unsafe. /// Bypass password requirements such as minimum length. Unsafe.
#[clap(long)] #[clap(long)]
@@ -100,8 +102,14 @@ pub fn register_finish(
fn main() -> Result<()> { fn main() -> Result<()> {
let opts = CliOpts::parse(); let opts = CliOpts::parse();
let password = match opts.password {
Some(v) => v,
None => env::var("LLDAP_USER_PASSWORD").unwrap_or_default(),
};
ensure!( ensure!(
opts.bypass_password_policy || opts.password.len() >= 8, opts.bypass_password_policy || password.len() >= 8,
"New password is too short, expected at least 8 characters" "New password is too short, expected at least 8 characters"
); );
ensure!( ensure!(
@@ -118,7 +126,7 @@ fn main() -> Result<()> {
let mut rng = rand::rngs::OsRng; let mut rng = rand::rngs::OsRng;
let registration_start_request = let registration_start_request =
opaque::client::registration::start_registration(opts.password.as_bytes(), &mut rng) opaque::client::registration::start_registration(password.as_bytes(), &mut rng)
.context("Could not initiate password change")?; .context("Could not initiate password change")?;
let start_request = registration::ClientRegistrationStartRequest { let start_request = registration::ClientRegistrationStartRequest {
username: opts.username.clone().into(), username: opts.username.clone().into(),