Configuration file /etc/sysconfig/virt-who may contain passwords but its permissions are 644 (rw-r--r--). It should be 600 (rw-------) to prevent non-root users to read the configuration file.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Fixed in virt-who-0.9-2.el5. The fix only affects new installations (when the config file not yet exists), it might break some user workflow when we would change that for existing installations.
Verified on virt-who-0.9-2.el5 Configuration file /etc/sysconfig/virt-who permissions has updated to 600 (rw-------) [root@dhcp-128-110 libvirt-test-API]# ls -al /etc/sysconfig/virt-who -rw------- 1 root root 2088 Apr 27 21:55 /etc/sysconfig/virt-who
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1206.html