This file is indexed.

/usr/sbin/gosa-encrypt-passwords is in gosa 2.7.4+reloaded2-13+deb9u1.

This file is owned by root:root, with mode 0o755.

The actual contents of the file can be viewed below.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
#!/usr/bin/php
<?php

function cred_encrypt($input, $password) {

  $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
  $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);

  return bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $password, $input, MCRYPT_MODE_ECB, $iv));
}


function get_random_char() {
  $randno = rand (0, 63);
  if ($randno < 12) {
    return (chr ($randno + 46)); // Digits, '/' and '.'
  } else if ($randno < 38) {
    return (chr ($randno + 53)); // Uppercase
  } else {
    return (chr ($randno + 59)); // Lowercase
  }
}


function get_random_string($size= 32){
  $str= "";
  for ($i = 0; $i < $size; $i++) {
    $str .= get_random_char();
  }
  return $str;
}


# We need to have access to gosa.secrets
if (posix_getuid() != 0){
  die ("This program needs to be called by root!\n");
}

# Do we have a valid gosa.conf?
if (!file_exists("/etc/gosa/gosa.conf")){
  die ("Cannot find a valid /etc/gosa/gosa.conf!\n");
}

echo "Starting password encryption\n";
echo "* generating random master key\n";
$master_key= get_random_string();

# Do we have a valid gosa.secrets, already? 
if (file_exists("/etc/gosa/gosa.secrets")){
  die ("There's already a /etc/gosa/gosa.secrets. Cannot convert your existing gosa.conf - aborted\n");
} else {
  echo "* creating /etc/gosa/gosa.secrets\n";
  $fp = fopen("/etc/gosa/gosa.secrets", 'w') or die("Cannot open /etc/gosa/gosa.secrets for writing - aborted");
  fwrite($fp, "RequestHeader set GOSAKEY $master_key\n");
  fclose($fp);
  chmod ("/etc/gosa/gosa.secrets", 0600);
  chown ("/etc/gosa/gosa.secrets", "root");
  chgrp ("/etc/gosa/gosa.secrets", "root");
}

# Locate all passwords inside the gosa.conf
echo "* loading /etc/gosa/gosa.conf\n";
$conf = new DOMDocument();
$conf->load("/etc/gosa/gosa.conf") or die ("Cannot read /etc/gosa/gosa.conf - aborted\n");
$conf->encoding = 'UTF-8';
$referrals= $conf->getElementsByTagName("referral");
foreach($referrals as $referral){
  $user = $referral->attributes->getNamedItem("adminDn");
  echo "* encrypting GOsa password for: ".$user->nodeValue."\n";
  $pw= $referral->attributes->getNamedItem("adminPassword");
  $pw->nodeValue= cred_encrypt($pw->nodeValue, $master_key);
}

# Encrypt the snapshot passwords 
$locations= $conf->getElementsByTagName("location");
foreach($locations as $location){
  $name = $location->attributes->getNamedItem("name"); 
  $node = $location->attributes->getNamedItem("snapshotAdminPassword"); 
  if($node->nodeValue){
    echo "* encrypting snapshot pasword for location: ".$name->nodeValue."\n";
    $node->nodeValue = cred_encrypt($node->nodeValue, $master_key);;
  }
}

# Move original gosa.conf out of the way and make it unreadable for the web user
echo "* creating backup in /etc/gosa/gosa.conf.orig\n";
rename("/etc/gosa/gosa.conf", "/etc/gosa/gosa.conf.orig");
chmod("/etc/gosa/gosa.conf.orig", 0600);
chown ("/etc/gosa/gosa.conf.orig", "root");
chgrp ("/etc/gosa/gosa.conf.orig", "root");

# Save new passwords
echo "* saving modified /etc/gosa/gosa.conf\n";
$conf->save("/etc/gosa/gosa.conf") or die("Cannot write modified /etc/gosa/gosa.conf - aborted\n");
chmod("/etc/gosa/gosa.conf", 0640);
chown ("/etc/gosa/gosa.conf", "root");
chgrp ("/etc/gosa/gosa.conf", "www-data");
echo "OK\n\n";

# Print reminder
echo<<<EOF
Please adapt your http gosa location declaration to include the newly
created "/etc/gosa/gosa.secrets".

Example:

Alias /gosa /usr/share/gosa/html

<Location /gosa>
  php_admin_flag engine on
  php_admin_value open_basedir "/etc/gosa/:/usr/share/gosa/:/var/cache/gosa/:/var/spool/gosa/"
  php_admin_flag register_globals off
  php_admin_flag allow_call_time_pass_reference off
  php_admin_flag expose_php off
  php_admin_flag zend.ze1_compatibility_mode off
  include /etc/gosa/gosa.secrets
</Location>


Please reload your httpd configuration after you've modified anything.


EOF;
?>