Bug 1107751 - backport fstab and grub.conf password stripping from upstream
Summary: backport fstab and grub.conf password stripping from upstream
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sos
Version: 5.10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Bryn M. Reeves
QA Contact: David Kutálek
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-06-10 14:17 UTC by Bryn M. Reeves
Modified: 2014-09-16 00:31 UTC (History)
4 users (show)

Fixed In Version: sos-1.7-9.73.el5
Doc Type: Bug Fix
Doc Text:
Cause: Previous versions of sos would include password material in the grub.conf and fstab files collected by the bootloader and filesys plugins if present on the collection system. Consequence: Passwords (either plain text or hashed) could be included in the report tarball. Fix: Password and other secrets are now redacted during collection. Result: No passwords from the fstab or grub.conf files are now included in the report tarball.
Clone Of:
: 1196717 (view as bug list)
Environment:
Last Closed: 2014-09-16 00:31:55 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2014:1200 normal SHIPPED_LIVE sos bug fix update 2014-09-16 04:17:05 UTC

Description Bryn M. Reeves 2014-06-10 14:17:19 UTC
Description of problem:
sos-1.7 currently includes CIFS passwords in /etc/fstab and grub plaintext and md5 hashed passwords included in grub.conf files.

Both have been fixed upstream and the changes are simple and low-risk.

Version-Release number of selected component (if applicable):
sos-1.7-*.el5

How reproducible:
100%

Steps to Reproduce:
1. Configure passwords in /etc/fstab and /boot/grub/grub.conf
2. Run sosreport
3. Inspect etc/fstab and boot/grub/grub.conf in generated report

Actual results:
Passwords included.

Expected results:
Passwords not included.

Additional info:
commit 7b46d34654735d925bcb2a3e4b27b65dce994519
Author: Bryn M. Reeves <bmr@redhat.com>
Date:   Fri May 30 14:41:42 2014 +0100

    Add postprocessing for /etc/fstab passwords
    
    Signed-off-by: Bryn M. Reeves <bmr@redhat.com>


commit 6501013bb780161e941f5e078a6ed7052f670a51
Author: Bryn M. Reeves <bmr@redhat.com>
Date:   Mon Jun 2 15:27:10 2014 +0100

    Make sure grub password regex handles all cases
    
    The regex to match passwords in grub.conf needs to handle both
    the --md5 and non-md5 cases and to apply the substitution only
    to the secret part (password or password hash).
    
    This needs to deal with the fact that python will return 'None'
    for unmatched pattern groups leading to an exception in re.subn()
    if not all referenced groups match for a given string (in contrast
    to e.g. the perl approach of treating these groups as the empty
    string).
    
    Make this explicit by using an empty alternate in the possibly
    unmatched '--md5' group:
    
                r"(password\s*)(--md5\s*|\s*)(.*)",
                r"\1\2********"
    
    Signed-off-by: Bryn M. Reeves <bmr@redhat.com>


commit 23182c4f13fbadc9b7c2ab75c1ca249d5ba987d1
Author: Bryn M. Reeves <bmr@redhat.com>
Date:   Mon Jun 2 14:55:03 2014 +0100

    Elide bootloader password in grub plugin
    
    The grub.conf configuration file collected by the grub plugin may
    contain a plaintext or md5 hashed bootloader password. Add a regex
    substitution for all files matching '.*\/grub\.conf' and replace
    the password with '*'s.
    
    Signed-off-by: Bryn M. Reeves <bmr@redhat.com>

Comment 2 RHEL Product and Program Management 2014-06-10 14:28:37 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 6 errata-xmlrpc 2014-09-16 00:31:55 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1200.html


Note You need to log in before you can comment on or make changes to this bug.