Red Hat Bugzilla – Bug 1020187
RHS-C: adminPassword is saved as PLAIN TEXT in the answer file generated as part of rhsc-setup
Last modified: 2015-05-13 12:30:16 EDT
Description of problem:
Wedadmin portal adminPassword is saved as PLAIN TEXT in the answer file which is generated as part of rhsc-setup. See below:
[root@vm07 ]# rhsc-setup --offline
[ INFO ] Stage: Initializing
Web access is enabled at:
Please use the user "admin" and password specified in order to login into oVirt Engine
--== END OF SUMMARY ==--
[ INFO ] Starting engine service
[ INFO ] Restarting httpd
[ INFO ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20131016194348-setup.conf'
[ INFO ] Stage: Clean up
Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20131016193957.log
[ INFO ] Stage: Pre-termination
[ INFO ] Stage: Termination
[ INFO ] Execution of setup completed successfully
[root@vm07 ~]# grep adminPassword /var/lib/ovirt-engine/setup/answers/20131016194348-setup.conf
Version-Release number of selected component (if applicable):
[root@vm07 /]# rpm -qa |grep rhsc
How reproducible: 100%
Steps to Reproduce:
1. Install cb4 build as per http://rhsm.pad.engineering.redhat.com/rhsc-build-cb4
2. Run rhsc-setup
3. Grep for "adminPassword" in the answer file generated as part of the setup
Actual results: adminPassword being saved as plain text in the answer file and stored in the server is definitely a high security risk
Expected results: adminPassword should be saved in some encrypted form like DB password
Created attachment 813241 [details]
Core product behavior bugs/features should be opened against upstream or at least rhevm... as RHS-C is not the origin of these issues.
It is correct, answer file contain the entire configuration that is required to setup an identical setup at later time. This is by design.
Correction: Database password is not encrypted as well, you can see it in plain text at /etc/ovirt-engine/engine.conf.d/*, and it is also available in the answer file for the same reason.
It is not that critical to have admin password in clear text during setup as it is initial password for admin to be able to perform first login, he may change the password at any time using:
# engine-config -s AdminPassword=interactive
This will obsolete the password stored at the answer file.
The important issue to fix is bug#1028748, which is already being worked on, to make answer file private to root.
Fix for bug#1028748 is already merged upstream on master, 3.3 and 3.3.1 branches.
Thath fix will also changes the file access permission to root only.
Verified as fixed in cb9
[root@rhs-client3 /]# cd /var/lib/ovirt-engine/setup/answers/
[root@rhs-client3 answers]# ls -al 20131126173041-setup.conf
-rw-------. 1 root root 1171 Nov 26 17:30 20131126173041-setup.conf
Answer file is now private to root.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.