Bug 155558 - anaconda-ks.cfg encrypted root password is world readable
Summary: anaconda-ks.cfg encrypted root password is world readable
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: anaconda
Version: 4.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Anaconda Maintenance Team
QA Contact: Mike McLean
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-04-21 13:30 UTC by ben lemasurier
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-04-21 14:10:29 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description ben lemasurier 2005-04-21 13:30:08 UTC
Description of problem:
the anaconda-ks.cfg file that is automatically placed in /root upon install is
given read permissions to everyone. This gives unauthorized users access to this
line:
rootpw --iscrypted <encrypted password here>

Version-Release number of selected component (if applicable):

How reproducible:
Install EL4 and type ls -l /root
Actual results:
file is readable by everyone

Expected results:
should be chmod 600

Comment 1 Paul Nasrat 2005-04-21 13:34:10 UTC
/root should be 750 so you can't actually get to the dir to read the file if you
are not root.

ls -ld /root

Try as non-root user

cat /root/anaconda-ks.cfg - you should get permission denied.

Comment 2 ben lemasurier 2005-04-21 13:37:33 UTC
Silly me, your right. I guess an extra level of paranoia can't hurt though.

Comment 3 Paul Nasrat 2005-04-21 14:10:29 UTC
It looks as if that was the intent - I've commited this to rawhide.


Note You need to log in before you can comment on or make changes to this bug.