Red Hat Bugzilla – Bug 155558
anaconda-ks.cfg encrypted root password is world readable
Last modified: 2007-11-30 17:07:17 EST
Description of problem:
the anaconda-ks.cfg file that is automatically placed in /root upon install is
given read permissions to everyone. This gives unauthorized users access to this
rootpw --iscrypted <encrypted password here>
Version-Release number of selected component (if applicable):
Install EL4 and type ls -l /root
file is readable by everyone
should be chmod 600
/root should be 750 so you can't actually get to the dir to read the file if you
are not root.
ls -ld /root
Try as non-root user
cat /root/anaconda-ks.cfg - you should get permission denied.
Silly me, your right. I guess an extra level of paranoia can't hurt though.
It looks as if that was the intent - I've commited this to rawhide.