exec {"Set password for hacluster user on $cluster_name":
command => "/bin/echo ${::pacemaker::hacluster_pwd} | /usr/bin/passwd --stdin hacluster",
The value of ::pacemaker::hacluster_pwd is passed as command line argument to /bin/echo. This has 2 unintended consequences:
the password may include special characters, such as $ ; ( , which will be interpreted.
the password will be visible in process list, because echo is a shell builtin, but /bin/echo is not. This may disclose the password to local attacker depending on scenario.
Acknowledgement: this issue was found by Florian Weimer of Red Hat.
https://github.com/redhat-openstack/puppet-pacemaker/blob/5d91343c80f65b64be604f4a61558ff408c0f863/manifests/corosync.pp#L56
The value of
::pacemaker::hacluster_pwd
is passed as command line argument to /bin/echo. This has 2 unintended consequences:Acknowledgement: this issue was found by Florian Weimer of Red Hat.