Bug 790402
| Summary: | sosreport should blank root password in anaconda plugin | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Philip Rowlands <phr> |
| Component: | sos | Assignee: | Bryn M. Reeves <bmr> |
| Status: | CLOSED ERRATA | QA Contact: | David Kutálek <dkutalek> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.2 | CC: | agk, bmr, dkutalek, gavin, prc |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | sos-2.2-18.el6 | Doc Type: | Bug Fix |
| Doc Text: |
* Previous versions of the sos anaconda module would not elide password configuration from collected kickstart configuration files
* This may lead to unintended disclosure of these password settings
* The sosreport command now applies a string substitution when collection these files to ensure passwords are obscured
* Generated reports no longer include this possibly sensitive information while still retaining important diagnostic data from the module
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-06-20 07:25:42 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | |||
| Bug Blocks: | 826884 | ||
Correction: this should be fixed in both the anaconda and general plugins, which both collect /root/anaconda-ks.cfg. Alternatively take it out of general, as the anaconda plugin is enabled by default. Thanks for the suggested patch. Agreed, I don't think there's any need to collect this in the general module (generally we're trying to reduce the number of duplicated path copy specs as they potentially mask bugs). The proposed regex substitution seems fine. I'll get this posted upstream and queued for an update.
Technical note added. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
New Contents:
* Previous versions of the sos anaconda module would not elide password configuration from collected kickstart configuration files
* This may lead to unintended disclosure of these password settings
* The sosreport command now applies a string substitution when collection these files to ensure passwords are obscured
* Generated reports no longer include this possibly sensitive information while still retaining important diagnostic data from the module
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0958.html |
sosreport's "anaconda" plugin collects /root/anaconda-ks.cfg, which contains the root password for the system, possibly crypt'd, possibly plain. sosreport should blank this password in a similar way to the ldap plugin's treatment of bindpw in /etc/ldap.conf Suggested patch for plugins/anaconda.py: def postproc(self): self.doRegexSub("/root/anaconda-ks.cfg", r"(\s*rootpw\s*)\S+", r"\1***") return