Bug 155558 - anaconda-ks.cfg encrypted root password is world readable
anaconda-ks.cfg encrypted root password is world readable
Status: CLOSED RAWHIDE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: anaconda (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Anaconda Maintenance Team
Mike McLean
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-21 09:30 EDT by Benjamin D. Lemasurier
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-21 10:10:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Benjamin D. Lemasurier 2005-04-21 09:30:08 EDT
Description of problem:
the anaconda-ks.cfg file that is automatically placed in /root upon install is
given read permissions to everyone. This gives unauthorized users access to this
line:
rootpw --iscrypted <encrypted password here>

Version-Release number of selected component (if applicable):

How reproducible:
Install EL4 and type ls -l /root
Actual results:
file is readable by everyone

Expected results:
should be chmod 600
Comment 1 Paul Nasrat 2005-04-21 09:34:10 EDT
/root should be 750 so you can't actually get to the dir to read the file if you
are not root.

ls -ld /root

Try as non-root user

cat /root/anaconda-ks.cfg - you should get permission denied.
Comment 2 Benjamin D. Lemasurier 2005-04-21 09:37:33 EDT
Silly me, your right. I guess an extra level of paranoia can't hurt though.
Comment 3 Paul Nasrat 2005-04-21 10:10:29 EDT
It looks as if that was the intent - I've commited this to rawhide.

Note You need to log in before you can comment on or make changes to this bug.