Bug 1630536

Summary: yum repos password stored as cleartext
Product: Red Hat Satellite Reporter: Stephen Wadeley <swadeley>
Component: RepositoriesAssignee: Ian Ballou <iballou>
Status: CLOSED ERRATA QA Contact: Stephen Wadeley <swadeley>
Severity: high Docs Contact:
Priority: high    
Version: 6.4.0CC: avroy, bkearney, gpayelka, jsherril, kgaikwad, kkohli, nshaik, paji, seldridg, wpinheir
Target Milestone: 6.8.0Keywords: Patch, Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 12:57:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Audit log shows redacted password none

Description Stephen Wadeley 2018-09-18 21:29:03 UTC 
Description of problem:

When you set a password for a repo in "Upstream Password" field, it appears in cleartext in the audit logs.

Due to:

Bug 1630535 - admin password is added to yum repo config

 the admin password can end up in the audit logs.


Version-Release number of selected component (if applicable):

~]# rpm -q satellite
satellite-6.4.0-14.el7sat.noarch

How reproducible:


Steps to Reproduce:
1. Products > Repositories
2. Create a custom product with a yum repository.
3. Add a password to "Upstream Password"
4. Check the audit logs

Actual results:

Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to changeme
    Checksum type changed from sha256 to sha1

Expected results:

Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to [redacted]
    Checksum type changed from sha256 to sha1
Comment 2 Brad Buckingham 2018-09-21 15:37:21 UTC 
Note: this will likely apply to password on any content types.
Comment 7 Kavita 2019-10-23 07:19:16 UTC 
Created redmine issue https://projects.theforeman.org/issues/28112 from this bug
Comment 8 Nagoor Shaik 2019-10-23 09:02:05 UTC 
Current Workaround until we come up with an official fix

To exclude the "Upstream Password" from capturing in Audit entries

 # vi /opt/theforeman/tfm/root/usr/share/gems/gems/katello-*/app/models/katello/root_repository.rb

  Replace this line 
  ~~~
  audited
  ~~~
 
  with
 
  ~~~   
  audited :except => [:upstream_password]
  ~~~

 # systemctl restart httpd
Comment 11 piytiwar 2020-05-20 18:55:36 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug
Comment 12 Partha Aji 2020-05-20 18:55:56 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug
Comment 13 Partha Aji 2020-05-26 16:22:06 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/29931 from this bug
Comment 16 Bryan Kearney 2020-08-17 18:54:59 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/30064 from this bug
Comment 17 Bryan Kearney 2020-08-17 18:55:23 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30064 has been resolved.
Comment 18 Justin Sherrill 2020-08-20 17:56:57 UTC 
This is already in the 6.8.0 snaps
Comment 19 Justin Sherrill 2020-08-20 18:10:30 UTC 
*** Bug 1868697 has been marked as a duplicate of this bug. ***
Comment 20 Stephen Wadeley 2020-09-01 07:46:40 UTC 
Created attachment 1713255 [details]
Audit log shows redacted password

Hello

Testing on snap 12

[root@dell-r330-12 ~]# rpm -q satellite
satellite-6.8.0-1.el7sat.noarch

Followed procedure as per comment 0

Navigate Monitor > Audit logs

look for
create KATELLO/ROOT REPOSITORY test_repo

click triangle icon to expand

See:
Upstream password [redacted]

Thank you
Comment 23 errata-xmlrpc 2020-10-27 12:57:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366