Red Hat Bugzilla – Full Text Bug Listing
|Summary:||[anaconda] keys-wlan0 world readable after wireless network install|
|Product:||[Fedora] Fedora||Reporter:||Joachim Frieben <jfrieben>|
|Component:||anaconda||Assignee:||Radek Vykydal <rvykydal>|
|Status:||CLOSED ERRATA||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||14||CC:||awilliam, jonathan, kparal, rvykydal, tcallawa, vanmeeuwen+fedora|
|Fixed In Version:||anaconda-14.21-1.fc14||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-10-19 18:24:48 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description Joachim Frieben 2010-09-21 10:11:34 EDT
Description of problem: After performing a wireless network install with the F14 Beta RC3 boot media, file keys-wlan0 is world readable ("-rw-r--r--.") which obviously represents a security risk. The encryption key had been provided as an argument to the installer according to "wepkey=<this_wep_key>". Version-Release number of selected component (if applicable): anaconda-14.17.4-1.fc14 How reproducible: Always. Steps to Reproduce: 1. Perform a wireless network install over a WEP encrypted network. 2. Check file attributes of /etc/sysconfig/network-scripts/keys-wlan0. Actual results: File attributes read "-rw-r--r--." Expected results: File attributes ressemble "-rw-------." Additional info: When a duplicate of the same wireless connection is created by means of system-config-network, then the file attributes of keys-wlan0 are "-rw-------." which appears to be correct. Installed packages include system-config-network-1.6.1-1.fc14.
Comment 1 Radek Vykydal 2010-09-22 09:15:36 EDT
Thanks for the report. This updates image should fix it: http://rvykydal.fedorapeople.org/updates.wepkey.img Unfortunately, I can't test the fix locally as I don't have wireless set up here, could you give it a try?
Comment 2 Joachim Frieben 2010-09-27 09:30:49 EDT
Running the Fedora 14 Beta RC3 netinst.iso, and adding "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img" to the installer options, I obtain INFO loader: transferring http://rvykydal.fedorapeople.org/updates.wepkey.img ERR loader: failed to mount loopback device /dev/loop7 on /tmp/update-disk as /tmp/updates.img: mount: you must specify the filesystem type Furthermore, /tmp/update-disk: total 0 and /tmp/updates: total 0 drwxrwxr-x. 2 500 500 1700 Sep 27 15:11 pyanaconda -rw-rw-r--. 1 500 500 0 Sep 22 13:07 updates.wepkey.img At this point, I decided to abort the install since it looks as whether "updates.wepkey.img" would not have been applied anyway. Is that correct?
Comment 3 Radek Vykydal 2010-09-27 12:12:19 EDT
(In reply to comment #2) > Running the Fedora 14 Beta RC3 netinst.iso, and adding > "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img" to the installer > options, I obtain > > INFO loader: transferring http://rvykydal.fedorapeople.org/updates.wepkey.img > ERR loader: failed to mount loopback device /dev/loop7 on /tmp/update-disk as > /tmp/updates.img: mount: you must specify the filesystem type > The message is irrelevant. > Furthermore, > > /tmp/update-disk: > total 0 > > and > > /tmp/updates: > total 0 > drwxrwxr-x. 2 500 500 1700 Sep 27 15:11 pyanaconda > -rw-rw-r--. 1 500 500 0 Sep 22 13:07 updates.wepkey.img > > At this point, I decided to abort the install since it looks as whether > "updates.wepkey.img" would not have been applied anyway. Is that correct? No, updates would be applied, I believe /tmp/updates/pyanaconda/network.py is there.
Comment 4 Joachim Frieben 2010-09-27 21:48:13 EDT
After installing system from scratch using "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img", file attributes of /etc/sysconfig/network-scripts/keys-wlan0 still read "-rw-r--r--".
Comment 5 Radek Vykydal 2010-10-06 08:25:10 EDT
(In reply to comment #4) > After installing system from scratch using > "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img", file attributes > of /etc/sysconfig/network-scripts/keys-wlan0 still read "-rw-r--r--". Can you please post /var/log/anaconda.log from installed system form comment #4? I can't figure out what might have gone wrong. I have suspicion that the updates image really was not applied (although what you describe in comment #2 is ok).
Comment 6 Radek Vykydal 2010-10-06 13:34:39 EDT
(In reply to comment #5) > (In reply to comment #4) > > Can you please post /var/log/anaconda.log from installed system form comment > #4? I can't figure out what might have gone wrong. I have suspicion that the > updates image really was not applied (although what you describe in comment #2 > is ok). It is no longer needed, Finally I was able to set up my own testing environment and I am seeing the same result as you. Thanks for your testing.
Comment 7 Radek Vykydal 2010-10-08 08:10:31 EDT
Proposing as F14 Blocker with hope for Nice To Have. I am not sure how serious this security issue really is. The fix is well isolated and safe. The patch: https://www.redhat.com/archives/anaconda-devel-list/2010-October/msg00029.html
Comment 8 Adam Williamson 2010-10-08 14:05:32 EDT
Discussed at the 2010-10-08 blocker review meeting. Accepted as a blocker under the "# A bug in a Critical Path package that: * Cannot be fixed with a future rawhide update * Has a severity rating of high or greater and no reasonable workaround (see definition of severity and priority) " catch-all.
Comment 9 Radek Vykydal 2010-10-11 08:25:50 EDT
This should be fixed in anaconda 14.19-1.
Comment 10 Fedora Update System 2010-10-11 17:46:54 EDT
anaconda-14.19-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/anaconda-14.19-1.fc14
Comment 11 Fedora Update System 2010-10-11 22:38:17 EDT
anaconda-14.19-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update anaconda'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/anaconda-14.19-1.fc14
Comment 12 Fedora Update System 2010-10-14 19:57:26 EDT
anaconda-14.20-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/anaconda-14.20-1.fc14
Comment 13 Fedora Update System 2010-10-18 23:23:10 EDT
anaconda-14.21-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/anaconda-14.21-1.fc14
Comment 14 Kamil Páral 2010-10-19 10:33:12 EDT
Joachim, could you please test the fix with F14 Final TC1.1?
Comment 15 Joachim Frieben 2010-10-19 14:07:45 EDT
I did a net install from scratch using http://alt.fedoraproject.org/pub/alt/stage/14.TC1.1/Fedora/x86_64/iso/Fedora-14-x86_64-netinst.iso on Oct 16, 2010. Resulting attributes of /etc/sysconfig/network-scripts/keys-wlan0 are "-rw-------." Log file /tmp/anaconda.log reports "anaconda version 14.19".
Comment 16 Adam Williamson 2010-10-19 14:16:20 EDT
thanks, setting VERIFIED. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
Comment 17 Fedora Update System 2010-10-19 18:24:02 EDT
anaconda-14.21-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.