Bug 129280 - Anaconda puts plain password in lilo.conf.anaconda
Summary: Anaconda puts plain password in lilo.conf.anaconda
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda   
(Show other bugs)
Version: 2
Hardware: i686
OS: Linux
Target Milestone: ---
Assignee: Jeremy Katz
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-08-05 19:44 UTC by Greg
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version: 0.42-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-08-10 19:28:55 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Greg 2004-08-05 19:44:48 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.x) Gecko/20031020

Description of problem:
I installed Fedora Core 2, and entered a GRUB password, only to find
that Anaconda created /etc/lilo.conf.anaconda with the GRUB password
in plain text.  LILO is not even used on these systems or available as
an installer option, and this is bad news for someone who uses a
sensitive password for the bootloader!!!

Version-Release number of selected component (if applicable):
as distributed on ISO's

How reproducible:
Didn't try

Steps to Reproduce:
1.Install FC2
2.Set a GRUB password during install
3.View /etc/lilo.conf.anaconda

Additional info:

Comment 1 Greg 2004-08-05 21:44:25 UTC
I should have mentioned that the lilo.conf.anaconda file is mode 0600,
so this is only readable by root, which mitigates the issue somewhat;
nevertheless has a potential for increasing the severity of a
compromise or even of an arbitrary-file-disclosure bug in certain
services, etc.

Comment 2 Jeremy Katz 2004-08-10 19:28:55 UTC
This is from an attempt to make it easy to migrate from grub->lilo if
needed.  At this point, not putting the plaintext password seems a
bigger win, so changed for booty-0.42-1

Note You need to log in before you can comment on or make changes to this bug.