Bug 129280 - Anaconda puts plain password in lilo.conf.anaconda
Summary: Anaconda puts plain password in lilo.conf.anaconda
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: anaconda
Version: 2
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Jeremy Katz
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-05 19:44 UTC by Greg
Modified: 2007-11-30 22:10 UTC (History)
2 users (show)

Fixed In Version: 0.42-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-08-10 19:28:55 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Greg 2004-08-05 19:44:48 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.x) Gecko/20031020

Description of problem:
I installed Fedora Core 2, and entered a GRUB password, only to find
that Anaconda created /etc/lilo.conf.anaconda with the GRUB password
in plain text.  LILO is not even used on these systems or available as
an installer option, and this is bad news for someone who uses a
sensitive password for the bootloader!!!

Version-Release number of selected component (if applicable):
as distributed on ISO's

How reproducible:
Didn't try

Steps to Reproduce:
1.Install FC2
2.Set a GRUB password during install
3.View /etc/lilo.conf.anaconda
    

Additional info:
Comment 1 Greg 2004-08-05 21:44:25 UTC 
I should have mentioned that the lilo.conf.anaconda file is mode 0600,
so this is only readable by root, which mitigates the issue somewhat;
nevertheless has a potential for increasing the severity of a
compromise or even of an arbitrary-file-disclosure bug in certain
services, etc.
Comment 2 Jeremy Katz 2004-08-10 19:28:55 UTC 
This is from an attempt to make it easy to migrate from grub->lilo if
needed.  At this point, not putting the plaintext password seems a
bigger win, so changed for booty-0.42-1
Note You need to log in before you can comment on or make changes to this bug.