summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMartin Kosek <mkosek@redhat.com>2011-07-12 10:02:09 +0200
committerMartin Kosek <mkosek@redhat.com>2011-07-13 15:16:24 +0200
commit02520ab98c5c5614c4b11f1a7c35a2f14001dc06 (patch)
tree02fe1ddfc70e05a5e5a1064ecbd752e5491d4d01
parent0cb65fd9f6865d606625ddb16206090779462c1f (diff)
downloadfreeipa-02520ab98c5c5614c4b11f1a7c35a2f14001dc06.tar.gz
freeipa-02520ab98c5c5614c4b11f1a7c35a2f14001dc06.tar.xz
freeipa-02520ab98c5c5614c4b11f1a7c35a2f14001dc06.zip
Remove sensitive information from logs
When -w/--password option is passed to ipa-replica-install it is printed to ipareplica-install.log. Make sure that the value of this option is hidden. https://fedorahosted.org/freeipa/ticket/1378
-rw-r--r--ipapython/ipautil.py15
-rw-r--r--ipaserver/install/replication.py7
2 files changed, 11 insertions, 11 deletions
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 91d19e95f..0191662cd 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -210,8 +210,6 @@ def run(args, stdin=None, raiseonerr=True,
if capture_output:
p_out = subprocess.PIPE
p_err = subprocess.PIPE
- elif len(nolog):
- raise RuntimeError("Can't use nolog if output is not captured")
p = subprocess.Popen(args, stdin=p_in, stdout=p_out, stderr=p_err,
close_fds=True, env=env)
@@ -224,13 +222,14 @@ def run(args, stdin=None, raiseonerr=True,
for value in nolog:
if not isinstance(value, basestring):
continue
- args = args.replace(value, 'XXXXXXXX')
- stdout = stdout.replace(value, 'XXXXXXXX')
- stderr = stderr.replace(value, 'XXXXXXXX')
+
quoted = urllib2.quote(value)
- args = args.replace(quoted, 'XXXXXXXX')
- stdout = stdout.replace(quoted, 'XXXXXXXX')
- stderr = stderr.replace(quoted, 'XXXXXXXX')
+ for nolog_value in (value, quoted):
+ if capture_output:
+ stdout = stdout.replace(nolog_value, 'XXXXXXXX')
+ stderr = stderr.replace(nolog_value, 'XXXXXXXX')
+ args = args.replace(nolog_value, 'XXXXXXXX')
+
logging.debug('args=%s' % args)
if capture_output:
logging.debug('stdout=%s' % stdout)
diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py
index fddb73747..22d4e1ae5 100644
--- a/ipaserver/install/replication.py
+++ b/ipaserver/install/replication.py
@@ -55,15 +55,16 @@ def replica_conn_check(master_host, host_name, realm, check_ca,
"--auto-master-check", "--realm", realm,
"--principal", "admin",
"--hostname", host_name]
+ nolog=tuple()
if admin_password:
args.extend(["--password", admin_password])
+ nolog=(admin_password,)
if check_ca:
args.append('--check-ca')
- logging.debug("Running ipa-replica-conncheck with following arguments: %s" %
- " ".join(args))
- (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False, capture_output=False)
+ (stdin, stderr, returncode) = ipautil.run(args,raiseonerr=False,capture_output=False,
+ nolog=nolog)
if returncode != 0:
sys.exit("Connection check failed!" +