Description of problem: Wedadmin portal adminPassword is saved as PLAIN TEXT in the answer file which is generated as part of rhsc-setup. See below: --------------- [root@vm07 ]# rhsc-setup --offline [ INFO ] Stage: Initializing ... ......... ............ Web access is enabled at: http://vm07.lab.eng.blr.redhat.com:80/ovirt-engine https://vm07.lab.eng.blr.redhat.com:443/ovirt-engine Please use the user "admin" and password specified in order to login into oVirt Engine --== END OF SUMMARY ==-- [ INFO ] Starting engine service [ INFO ] Restarting httpd [ INFO ] Generating answer file '/var/lib/ovirt-engine/setup/answers/20131016194348-setup.conf' [ INFO ] Stage: Clean up Log file is located at /var/log/ovirt-engine/setup/ovirt-engine-setup-20131016193957.log [ INFO ] Stage: Pre-termination [ INFO ] Stage: Termination [ INFO ] Execution of setup completed successfully ------------- [root@vm07 ~]# grep adminPassword /var/lib/ovirt-engine/setup/answers/20131016194348-setup.conf OVESETUP_CONFIG/adminPassword=str:redhat Version-Release number of selected component (if applicable): [root@vm07 /]# rpm -qa |grep rhsc rhsc-restapi-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-lib-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-cli-2.1.0.0-0.bb3a.el6rhs.noarch rhsc-webadmin-portal-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-sdk-2.1.0.0-0.bb3a.el6rhs.noarch rhsc-branding-rhs-3.3.0-1.0.master.201309200500.fc18.noarch rhsc-backend-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-tools-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-dbscripts-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-setup-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-2.1.2-0.0.scratch.beta1.el6_4.noarch rhsc-log-collector-2.1-0.1.el6rhs.noarch How reproducible: 100% Steps to Reproduce: 1. Install cb4 build as per http://rhsm.pad.engineering.redhat.com/rhsc-build-cb4 2. Run rhsc-setup 3. Grep for "adminPassword" in the answer file generated as part of the setup Actual results: adminPassword being saved as plain text in the answer file and stored in the server is definitely a high security risk Expected results: adminPassword should be saved in some encrypted form like DB password Additional info:
Created attachment 813241 [details] 20131016194348-setup.conf
Hello, Core product behavior bugs/features should be opened against upstream or at least rhevm... as RHS-C is not the origin of these issues. It is correct, answer file contain the entire configuration that is required to setup an identical setup at later time. This is by design. Correction: Database password is not encrypted as well, you can see it in plain text at /etc/ovirt-engine/engine.conf.d/*, and it is also available in the answer file for the same reason. It is not that critical to have admin password in clear text during setup as it is initial password for admin to be able to perform first login, he may change the password at any time using: # engine-config -s AdminPassword=interactive This will obsolete the password stored at the answer file. The important issue to fix is bug#1028748, which is already being worked on, to make answer file private to root. Thanks,
Fix for bug#1028748 is already merged upstream on master, 3.3 and 3.3.1 branches. Thath fix will also changes the file access permission to root only.
Verified as fixed in cb9 ------- [root@rhs-client3 /]# cd /var/lib/ovirt-engine/setup/answers/ [root@rhs-client3 answers]# ls -al 20131126173041-setup.conf -rw-------. 1 root root 1171 Nov 26 17:30 20131126173041-setup.conf ------- Answer file is now private to root.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2014-0208.html
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days