Bug 129280 - Anaconda puts plain password in lilo.conf.anaconda
Anaconda puts plain password in lilo.conf.anaconda
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: anaconda (Show other bugs)
2
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Jeremy Katz
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-05 15:44 EDT by Greg
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version: 0.42-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-10 15:28:55 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Greg 2004-08-05 15:44:48 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.x) Gecko/20031020

Description of problem:
I installed Fedora Core 2, and entered a GRUB password, only to find
that Anaconda created /etc/lilo.conf.anaconda with the GRUB password
in plain text.  LILO is not even used on these systems or available as
an installer option, and this is bad news for someone who uses a
sensitive password for the bootloader!!!

Version-Release number of selected component (if applicable):
as distributed on ISO's

How reproducible:
Didn't try

Steps to Reproduce:
1.Install FC2
2.Set a GRUB password during install
3.View /etc/lilo.conf.anaconda
    

Additional info:
Comment 1 Greg 2004-08-05 17:44:25 EDT
I should have mentioned that the lilo.conf.anaconda file is mode 0600,
so this is only readable by root, which mitigates the issue somewhat;
nevertheless has a potential for increasing the severity of a
compromise or even of an arbitrary-file-disclosure bug in certain
services, etc.
Comment 2 Jeremy Katz 2004-08-10 15:28:55 EDT
This is from an attempt to make it easy to migrate from grub->lilo if
needed.  At this point, not putting the plaintext password seems a
bigger win, so changed for booty-0.42-1

Note You need to log in before you can comment on or make changes to this bug.