diff options
author | Martin Kosek <mkosek@redhat.com> | 2011-07-12 10:02:09 +0200 |
---|---|---|
committer | Martin Kosek <mkosek@redhat.com> | 2011-07-13 15:16:24 +0200 |
commit | 02520ab98c5c5614c4b11f1a7c35a2f14001dc06 (patch) | |
tree | 02fe1ddfc70e05a5e5a1064ecbd752e5491d4d01 | |
parent | 0cb65fd9f6865d606625ddb16206090779462c1f (diff) | |
download | freeipa-02520ab98c5c5614c4b11f1a7c35a2f14001dc06.tar.gz freeipa-02520ab98c5c5614c4b11f1a7c35a2f14001dc06.tar.xz freeipa-02520ab98c5c5614c4b11f1a7c35a2f14001dc06.zip |
Remove sensitive information from logs
When -w/--password option is passed to ipa-replica-install it is
printed to ipareplica-install.log. Make sure that the value of this
option is hidden.
https://fedorahosted.org/freeipa/ticket/1378
-rw-r--r-- | ipapython/ipautil.py | 15 | ||||
-rw-r--r-- | ipaserver/install/replication.py | 7 |
2 files changed, 11 insertions, 11 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py index 91d19e95f..0191662cd 100644 --- a/ipapython/ipautil.py +++ b/ipapython/ipautil.py @@ -210,8 +210,6 @@ def run(args, stdin=None, raiseonerr=True, if capture_output: p_out = subprocess.PIPE p_err = subprocess.PIPE - elif len(nolog): - raise RuntimeError("Can't use nolog if output is not captured") p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err, close_fds=True, env=env) @@ -224,13 +222,14 @@ def run(args, stdin=None, raiseonerr=True, for value in nolog: if not isinstance(value, basestring): continue - args = args.replace(value, 'XXXXXXXX') - stdout = stdout.replace(value, 'XXXXXXXX') - stderr = stderr.replace(value, 'XXXXXXXX') + quoted = urllib2.quote(value) - args = args.replace(quoted, 'XXXXXXXX') - stdout = stdout.replace(quoted, 'XXXXXXXX') - stderr = stderr.replace(quoted, 'XXXXXXXX') + for nolog_value in (value, quoted): + if capture_output: + stdout = stdout.replace(nolog_value, 'XXXXXXXX') + stderr = stderr.replace(nolog_value, 'XXXXXXXX') + args = args.replace(nolog_value, 'XXXXXXXX') + logging.debug('args=%s' % args) if capture_output: logging.debug('stdout=%s' % stdout) diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index fddb73747..22d4e1ae5 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -55,15 +55,16 @@ def replica_conn_check(master_host, host_name, realm, check_ca, "--auto-master-check", "--realm", realm, "--principal", "admin", "--hostname", host_name] + nolog=tuple() if admin_password: args.extend(["--password", admin_password]) + nolog=(admin_password,) if check_ca: args.append('--check-ca') - logging.debug("Running ipa-replica-conncheck with following arguments: %s" % - " ".join(args)) - (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False) + (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False, + nolog=nolog) if returncode != 0: sys.exit("Connection check failed!" + |