Bug 1020187 - RHS-C: adminPassword is saved as PLAIN TEXT in the answer file generated as part of rhsc-setup [NEEDINFO]
RHS-C: adminPassword is saved as PLAIN TEXT in the answer file generated as p...
Status: CLOSED ERRATA
Product: Red Hat Gluster Storage
Classification: Red Hat
Component: rhsc (Show other bugs)
2.1
Unspecified Unspecified
low Severity medium
: ---
: RHGS 2.1.2
Assigned To: Timothy Asir
Prasanth
: ZStream
Depends On: 1028748
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-17 04:44 EDT by Prasanth
Modified: 2015-05-13 12:30 EDT (History)
9 users (show)

See Also:
Fixed In Version: cb9
Doc Type: Bug Fix
Doc Text:
Previously, the password was saved as plain text in the answer file generated during rhsc-setup. Now, with this update, the answer file is made accessible only to the root user.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-25 02:53:20 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
sharne: needinfo? (tjeyasin)


Attachments (Terms of Use)
20131016194348-setup.conf (1.05 KB, text/plain)
2013-10-17 04:47 EDT, Prasanth
no flags Details

  None (edit)
Description Prasanth 2013-10-17 04:44:49 EDT
Description of problem:

Wedadmin portal adminPassword is saved as PLAIN TEXT in the answer file which is generated as part of rhsc-setup. See below:

---------------
[root@vm07 ]# rhsc-setup --offline
[ INFO  ] Stage: Initializing
...
.........
............


          Web access is enabled at:
              http://vm07.lab.eng.blr.redhat.com:80/ovirt-engine
              https://vm07.lab.eng.blr.redhat.com:443/ovirt-engine
          Please use the user "admin" and password specified in order to login into oVirt Engine
         
          --== END OF SUMMARY ==--
         
[ INFO  ] Starting engine service
[ INFO  ] Restarting httpd
[ INFO  ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20131016194348-setup.conf'
[ INFO  ] Stage: Clean up
          Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20131016193957.log
[ INFO  ] Stage: Pre-termination
[ INFO  ] Stage: Termination
[ INFO  ] Execution of setup completed successfully
-------------


[root@vm07 ~]# grep adminPassword /var/lib/ovirt-engine/setup/answers/20131016194348-setup.conf
OVESETUP_CONFIG/adminPassword=str:redhat



Version-Release number of selected component (if applicable): 

[root@vm07 /]# rpm -qa |grep rhsc
rhsc-restapi-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-lib-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-cli-2.1.0.0-0.bb3a.el6rhs.noarch
rhsc-webadmin-portal-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-sdk-2.1.0.0-0.bb3a.el6rhs.noarch
rhsc-branding-rhs-3.3.0-1.0.master.201309200500.fc18.noarch
rhsc-backend-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-tools-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-dbscripts-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-setup-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-2.1.2-0.0.scratch.beta1.el6_4.noarch
rhsc-log-collector-2.1-0.1.el6rhs.noarch


How reproducible: 100%


Steps to Reproduce:
1. Install cb4 build as per http://rhsm.pad.engineering.redhat.com/rhsc-build-cb4
2. Run rhsc-setup
3. Grep for "adminPassword" in the answer file generated as part of the setup


Actual results: adminPassword being saved as plain text in the answer file and stored in the server is definitely a high security risk


Expected results: adminPassword should be saved in some encrypted form like DB password


Additional info:
Comment 1 Prasanth 2013-10-17 04:47:22 EDT
Created attachment 813241 [details]
20131016194348-setup.conf
Comment 3 Alon Bar-Lev 2013-11-11 06:19:22 EST
Hello,

Core product behavior bugs/features should be opened against upstream or at least rhevm... as RHS-C is not the origin of these issues.

It is correct, answer file contain the entire configuration that is required to setup an identical setup at later time. This is by design.

Correction: Database password is not encrypted as well, you can see it in plain text at /etc/ovirt-engine/engine.conf.d/*, and it is also available in the answer file for the same reason.

It is not that critical to have admin password in clear text during setup as it is initial password for admin to be able to perform first login, he may change the password at any time using:

# engine-config -s AdminPassword=interactive

This will obsolete the password stored at the answer file.

The important issue to fix is bug#1028748, which is already being worked on, to make answer file private to root.

Thanks,
Comment 4 Timothy Asir 2013-11-20 07:10:21 EST
Fix for bug#1028748 is already merged upstream on master, 3.3 and 3.3.1 branches.
Thath fix will also changes the file access permission to root only.
Comment 5 Prasanth 2013-11-27 03:22:04 EST
Verified as fixed in cb9

-------

[root@rhs-client3 /]# cd /var/lib/ovirt-engine/setup/answers/


[root@rhs-client3 answers]# ls -al 20131126173041-setup.conf
-rw-------. 1 root root 1171 Nov 26 17:30 20131126173041-setup.conf

-------

Answer file is now private to root.
Comment 7 errata-xmlrpc 2014-02-25 02:53:20 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2014-0208.html

Note You need to log in before you can comment on or make changes to this bug.