Bug 576534 - Password displayed on console when entered in command-line utilities

https://bugzilla.redhat.com/show_bug.cgi?id=576534
Resolves: bug 576534
Bug Description: Password displayed on console when entered in command-line utilities
Reviewed by: nhosoi (Thanks!)
Branch: master
Fix Description: Add a new configurable path - sttyexec - to configure.ac.
This is the absolute path and filename of the stty command to use with
the -echo and echo options to disable and enable tty echo for password
entry with perl scripts.  By default it is set to /bin/stty but it can be
overridden on a per-platform basis in configure.ac.  I had to move
DialogManager.pm to DialogManager.pm.in in order to replace the stty
command used there (which actually worked with just stty - not sure
why that worked but other perl scripts did not).
Platforms tested: RHEL6 x86_64
Flag Day: yes - file renamed - autoconf file changes
Doc impact: no

Makefile.am

@@ -1390,6 +1390,7 @@ fixupcmd = sed \
 	-e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \
 	-e 's,@with_selinux\@,@with_selinux@,g' \
 	-e 's,@perlexec\@,@perlexec@,g' \
+	-e 's,@sttyexec\@,@sttyexec@,g' \
 	-e 's,@initconfigdir\@,$(initconfigdir),g'\
 	-e 's,@updatedir\@,$(updatedir),g' \
 	-e 's,@ldaplib\@,$(ldaplib),g' \
@@ -1451,6 +1452,7 @@ fixupcmd = sed \
 	-e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \
 	-e 's,@with_selinux\@,@with_selinux@,g' \
 	-e 's,@perlexec\@,@perlexec@,g' \
+	-e 's,@sttyexec\@,@sttyexec@,g' \
 	-e 's,@initconfigdir\@,$(initconfigdir),g' \
 	-e 's,@updatedir\@,$(updatedir),g' \
 	-e 's,@ldaplib\@,$(ldaplib),g' \

Makefile.in

@@ -1235,6 +1235,7 @@ serverincdir = $(includedir)@serverincdir@
 serverplugindir = $(libdir)@serverplugindir@
 sharedstatedir = @sharedstatedir@
 srcdir = @srcdir@
+sttyexec = @sttyexec@
 svrcore_inc = @svrcore_inc@
 svrcore_lib = @svrcore_lib@
 sysconfdir = @sysconfdir@
@@ -2471,6 +2472,7 @@ rsearch_bin_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBS
 @BUNDLE_FALSE@	-e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \
 @BUNDLE_FALSE@	-e 's,@with_selinux\@,@with_selinux@,g' \
 @BUNDLE_FALSE@	-e 's,@perlexec\@,@perlexec@,g' \
+@BUNDLE_FALSE@	-e 's,@sttyexec\@,@sttyexec@,g' \
 @BUNDLE_FALSE@	-e 's,@initconfigdir\@,$(initconfigdir),g' \
 @BUNDLE_FALSE@	-e 's,@updatedir\@,$(updatedir),g' \
 @BUNDLE_FALSE@	-e 's,@ldaplib\@,$(ldaplib),g' \
@@ -2542,6 +2544,7 @@ rsearch_bin_LDADD = $(NSPR_LINK) $(NSS_LINK) $(LDAPSDK_LINK) $(SASL_LINK) $(LIBS
 @BUNDLE_TRUE@	-e 's,@with_fhs_opt\@,@with_fhs_opt@,g' \
 @BUNDLE_TRUE@	-e 's,@with_selinux\@,@with_selinux@,g' \
 @BUNDLE_TRUE@	-e 's,@perlexec\@,@perlexec@,g' \
+@BUNDLE_TRUE@	-e 's,@sttyexec\@,@sttyexec@,g' \
 @BUNDLE_TRUE@	-e 's,@initconfigdir\@,$(initconfigdir),g'\
 @BUNDLE_TRUE@	-e 's,@updatedir\@,$(updatedir),g' \
 @BUNDLE_TRUE@	-e 's,@ldaplib\@,$(ldaplib),g' \

configure

@@ -669,6 +669,7 @@ SOLARIS_TRUE
 HPUX_FALSE
 HPUX_TRUE
 initconfigdir
+sttyexec
 perlexec
 initdir
 LIBCRUN
@@ -17060,6 +17061,15 @@ fi
 # and HP-UX, /usr/bin/perl is 32 bit, so we cannot use
 # those with our 64 bit compiled product.
 perlexec='/usr/bin/env perl'
+# we use stty in perl scripts to disable password echo
+# this doesn't work unless the full absolute path of the
+# stty command is used e.g. system("stty -echo") does not
+# work but system("/bin/stty -echo") does work
+# since the path of stty may not be the same on all
+# platforms, we set the default here to /bin/stty and
+# allow that value to be overridden in the platform
+# specific section below
+sttyexec=/bin/stty
 case $host in
   *-*-linux*)
 
@@ -17288,6 +17298,7 @@ fi
 
 
 
+
 # set default initconfigdir if not already set
 # value will be set so as to be relative to $(sysconfdir)
 if test -z "$initconfigdir" ; then

configure.ac

@@ -357,6 +357,15 @@ AC_ARG_WITH(initddir,
 # and HP-UX, /usr/bin/perl is 32 bit, so we cannot use
 # those with our 64 bit compiled product.
 perlexec='/usr/bin/env perl'
+# we use stty in perl scripts to disable password echo
+# this doesn't work unless the full absolute path of the
+# stty command is used e.g. system("stty -echo") does not
+# work but system("/bin/stty -echo") does work
+# since the path of stty may not be the same on all
+# platforms, we set the default here to /bin/stty and
+# allow that value to be overridden in the platform
+# specific section below
+sttyexec=/bin/stty
 case $host in
   *-*-linux*)
     AC_DEFINE([XP_UNIX], [1], [UNIX])
@@ -467,6 +476,7 @@ if test -n "$with_initddir" ; then
 fi
 AC_SUBST(initdir)
 AC_SUBST(perlexec)
+AC_SUBST(sttyexec)
 
 # set default initconfigdir if not already set
 # value will be set so as to be relative to $(sysconfdir)

ldap/admin/src/scripts/DialogManager.pm → ldap/admin/src/scripts/DialogManager.pm.in

@@ -164,13 +164,13 @@ sub showPrompt {
     print ": ";
     # if we are prompting for a password, disable console echo
     if ($ispwd) {
-        system("stty -echo");
+        system("@sttyexec@ -echo");
     }
     # read the answer
     my $ans = <STDIN>;
     # if we are prompting for a password, enable console echo
     if ($ispwd) {
-        system("stty echo");
+        system("@sttyexec@ echo");
         print "\n";
     }
     chop($ans); # trim trailing newline

ldap/admin/src/scripts/template-bak2db.pl.in

@@ -93,11 +93,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-db2bak.pl.in

@@ -90,11 +90,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-db2index.pl.in

@@ -129,11 +129,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-db2ldif.pl.in

@@ -181,11 +181,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-fixup-linkedattrs.pl.in

@@ -111,11 +111,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-fixup-memberof.pl.in

@@ -120,11 +120,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-ldif2db.pl.in

@@ -169,11 +169,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-ns-accountstatus.pl.in

@@ -465,11 +465,11 @@ if ($pwfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$rootpw = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($rootpw); # trim trailing newline
 }

ldap/admin/src/scripts/template-ns-activate.pl.in

@@ -465,11 +465,11 @@ if ($pwfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$rootpw = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($rootpw); # trim trailing newline
 }

ldap/admin/src/scripts/template-ns-inactivate.pl.in

@@ -465,11 +465,11 @@ if ($pwfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$rootpw = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($rootpw); # trim trailing newline
 }

ldap/admin/src/scripts/template-schema-reload.pl.in

@@ -110,11 +110,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-syntax-validate.pl.in

@@ -120,11 +120,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }

ldap/admin/src/scripts/template-usn-tombstone-cleanup.pl.in

@@ -124,11 +124,11 @@ if ($passwdfile ne ""){
 # Read the password from terminal
 	print "Bind Password: ";
 	# Disable console echo
-	system("stty -echo") if -t STDIN;
+	system("@sttyexec@ -echo") if -t STDIN;
 	# read the answer
 	$passwd = <STDIN>;
 	# Enable console echo
-	system("stty echo") if -t STDIN;
+	system("@sttyexec@ echo") if -t STDIN;
 	print "\n";
 	chop($passwd); # trim trailing newline
 }