Bug 1107751
| Summary: | backport fstab and grub.conf password stripping from upstream | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Bryn M. Reeves <bmr> | |
| Component: | sos | Assignee: | Bryn M. Reeves <bmr> | |
| Status: | CLOSED ERRATA | QA Contact: | David Kutálek <dkutalek> | |
| Severity: | unspecified | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 5.10 | CC: | agk, bmr, dkutalek, gavin | |
| Target Milestone: | rc | Keywords: | Patch, Upstream | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sos-1.7-9.73.el5 | Doc Type: | Bug Fix | |
| Doc Text: |
Cause:
Previous versions of sos would include password material in the grub.conf and fstab files collected by the bootloader and filesys plugins if present on the collection system.
Consequence:
Passwords (either plain text or hashed) could be included in the report tarball.
Fix:
Password and other secrets are now redacted during collection.
Result:
No passwords from the fstab or grub.conf files are now included in the report tarball.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1196717 (view as bug list) | Environment: | ||
| Last Closed: | 2014-09-16 00:31:55 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1200.html |
Description of problem: sos-1.7 currently includes CIFS passwords in /etc/fstab and grub plaintext and md5 hashed passwords included in grub.conf files. Both have been fixed upstream and the changes are simple and low-risk. Version-Release number of selected component (if applicable): sos-1.7-*.el5 How reproducible: 100% Steps to Reproduce: 1. Configure passwords in /etc/fstab and /boot/grub/grub.conf 2. Run sosreport 3. Inspect etc/fstab and boot/grub/grub.conf in generated report Actual results: Passwords included. Expected results: Passwords not included. Additional info: commit 7b46d34654735d925bcb2a3e4b27b65dce994519 Author: Bryn M. Reeves <bmr> Date: Fri May 30 14:41:42 2014 +0100 Add postprocessing for /etc/fstab passwords Signed-off-by: Bryn M. Reeves <bmr> commit 6501013bb780161e941f5e078a6ed7052f670a51 Author: Bryn M. Reeves <bmr> Date: Mon Jun 2 15:27:10 2014 +0100 Make sure grub password regex handles all cases The regex to match passwords in grub.conf needs to handle both the --md5 and non-md5 cases and to apply the substitution only to the secret part (password or password hash). This needs to deal with the fact that python will return 'None' for unmatched pattern groups leading to an exception in re.subn() if not all referenced groups match for a given string (in contrast to e.g. the perl approach of treating these groups as the empty string). Make this explicit by using an empty alternate in the possibly unmatched '--md5' group: r"(password\s*)(--md5\s*|\s*)(.*)", r"\1\2********" Signed-off-by: Bryn M. Reeves <bmr> commit 23182c4f13fbadc9b7c2ab75c1ca249d5ba987d1 Author: Bryn M. Reeves <bmr> Date: Mon Jun 2 14:55:03 2014 +0100 Elide bootloader password in grub plugin The grub.conf configuration file collected by the grub plugin may contain a plaintext or md5 hashed bootloader password. Add a regex substitution for all files matching '.*\/grub\.conf' and replace the password with '*'s. Signed-off-by: Bryn M. Reeves <bmr>