Bug 636099

Summary: [anaconda] keys-wlan0 world readable after wireless network install
Product: [Fedora] Fedora Reporter: Joachim Frieben <jfrieben>
Component: anacondaAssignee: Radek Vykydal <rvykydal>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: low    
Version: 14CC: awilliam, jonathan, kparal, rvykydal, tcallawa, vanmeeuwen+fedora
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: AcceptedBlocker
Fixed In Version: anaconda-14.21-1.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-10-19 22:24:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 641108    

Description Joachim Frieben 2010-09-21 14:11:34 UTC 
Description of problem:
After performing a wireless network install with the F14 Beta RC3 boot media, file keys-wlan0 is world readable ("-rw-r--r--.") which obviously represents a security risk. The encryption key had been provided as an argument to the installer according to "wepkey=<this_wep_key>".

Version-Release number of selected component (if applicable):
anaconda-14.17.4-1.fc14

How reproducible:
Always.

Steps to Reproduce:
1. Perform a wireless network install over a WEP encrypted network.
2. Check file attributes of /etc/sysconfig/network-scripts/keys-wlan0.
  
Actual results:
File attributes read "-rw-r--r--."

Expected results:
File attributes ressemble "-rw-------."

Additional info:
When a duplicate of the same wireless connection is created by means of system-config-network, then the file attributes of keys-wlan0 are "-rw-------." which appears to be correct. Installed packages include system-config-network-1.6.1-1.fc14.
Comment 1 Radek Vykydal 2010-09-22 13:15:36 UTC 
Thanks for the report.
This updates image should fix it:
http://rvykydal.fedorapeople.org/updates.wepkey.img
Unfortunately, I can't test the fix locally as I don't have wireless set up here, could you give it a try?
Comment 2 Joachim Frieben 2010-09-27 13:30:49 UTC 
Running the Fedora 14 Beta RC3 netinst.iso, and adding "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img" to the installer options, I obtain

  INFO loader: transferring http://rvykydal.fedorapeople.org/updates.wepkey.img
  ERR loader: failed to mount loopback device /dev/loop7 on /tmp/update-disk as
      /tmp/updates.img: mount: you must specify the filesystem type

Furthermore,

  /tmp/update-disk:
  total 0

and

  /tmp/updates:
  total 0
  drwxrwxr-x. 2 500 500 1700 Sep 27 15:11 pyanaconda
  -rw-rw-r--. 1 500 500    0 Sep 22 13:07 updates.wepkey.img

At this point, I decided to abort the install since it looks as whether "updates.wepkey.img" would not have been applied anyway. Is that correct?
Comment 3 Radek Vykydal 2010-09-27 16:12:19 UTC 
(In reply to comment #2)
> Running the Fedora 14 Beta RC3 netinst.iso, and adding
> "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img" to the installer
> options, I obtain
> 
>   INFO loader: transferring http://rvykydal.fedorapeople.org/updates.wepkey.img
>   ERR loader: failed to mount loopback device /dev/loop7 on /tmp/update-disk as
>       /tmp/updates.img: mount: you must specify the filesystem type
> 

The message is irrelevant.

> Furthermore,
> 
>   /tmp/update-disk:
>   total 0
> 
> and
> 
>   /tmp/updates:
>   total 0
>   drwxrwxr-x. 2 500 500 1700 Sep 27 15:11 pyanaconda
>   -rw-rw-r--. 1 500 500    0 Sep 22 13:07 updates.wepkey.img
> 
> At this point, I decided to abort the install since it looks as whether
> "updates.wepkey.img" would not have been applied anyway. Is that correct?

No, updates would be applied, I believe /tmp/updates/pyanaconda/network.py is there.
Comment 4 Joachim Frieben 2010-09-28 01:48:13 UTC 
After installing system from scratch using "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img", file attributes of /etc/sysconfig/network-scripts/keys-wlan0 still read "-rw-r--r--".
Comment 5 Radek Vykydal 2010-10-06 12:25:10 UTC 
(In reply to comment #4)
> After installing system from scratch using
> "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img", file attributes
> of /etc/sysconfig/network-scripts/keys-wlan0 still read "-rw-r--r--".

Can you please post /var/log/anaconda.log from installed system form comment #4? I can't figure out what might have gone wrong. I have suspicion that the updates image really was not applied (although what you describe in comment #2 is ok).
Comment 6 Radek Vykydal 2010-10-06 17:34:39 UTC 
(In reply to comment #5)
> (In reply to comment #4)

> 
> Can you please post /var/log/anaconda.log from installed system form comment
> #4? I can't figure out what might have gone wrong. I have suspicion that the
> updates image really was not applied (although what you describe in comment #2
> is ok).

It is no longer needed, Finally I was able to set up my own testing environment and I am seeing the same result as you. Thanks for your testing.
Comment 7 Radek Vykydal 2010-10-08 12:10:31 UTC 
Proposing as F14 Blocker with hope for Nice To Have. I am not sure how serious this security issue really is. The fix is well isolated and safe.

The patch:
https://www.redhat.com/archives/anaconda-devel-list/2010-October/msg00029.html
Comment 8 Adam Williamson 2010-10-08 18:05:32 UTC 
Discussed at the 2010-10-08 blocker review meeting. Accepted as a blocker under the "#  A bug in a Critical Path package that:

    * Cannot be fixed with a future rawhide update
    * Has a severity rating of high or greater and no reasonable workaround (see definition of severity and priority) " catch-all.
Comment 9 Radek Vykydal 2010-10-11 12:25:50 UTC 
This should be fixed in anaconda 14.19-1.
Comment 10 Fedora Update System 2010-10-11 21:46:54 UTC 
anaconda-14.19-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/anaconda-14.19-1.fc14
Comment 11 Fedora Update System 2010-10-12 02:38:17 UTC 
anaconda-14.19-1.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update anaconda'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/anaconda-14.19-1.fc14
Comment 12 Fedora Update System 2010-10-14 23:57:26 UTC 
anaconda-14.20-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/anaconda-14.20-1.fc14
Comment 13 Fedora Update System 2010-10-19 03:23:10 UTC 
anaconda-14.21-1.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/anaconda-14.21-1.fc14
Comment 14 Kamil Páral 2010-10-19 14:33:12 UTC 
Joachim, could you please test the fix with F14 Final TC1.1?
Comment 15 Joachim Frieben 2010-10-19 18:07:45 UTC 
I did a net install from scratch using http://alt.fedoraproject.org/pub/alt/stage/14.TC1.1/Fedora/x86_64/iso/Fedora-14-x86_64-netinst.iso on Oct 16, 2010. Resulting attributes of /etc/sysconfig/network-scripts/keys-wlan0 are "-rw-------." Log file /tmp/anaconda.log reports "anaconda version 14.19".
Comment 16 Adam Williamson 2010-10-19 18:16:20 UTC 
thanks, setting VERIFIED.



-- 
Fedora Bugzappers volunteer triage team
https://fedoraproject.org/wiki/BugZappers
Comment 17 Fedora Update System 2010-10-19 22:24:02 UTC 
anaconda-14.21-1.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.