Description of problem: When installing via FTP to a real account, Anaconda masks the password, leading the user to believe it will use reasonable care with the password. However, it silently saves the password to /root/anaconda-ks.cfg on the installed system. This can easily lead to unintended disclosure of the password. Version-Release number of selected component (if applicable): How reproducible: always Steps to Reproduce: 1. Select FTP install,`non-anonymous FTP'. 2. Proceed with install. 3. Inspect /root/anaconda-ks.cfg Actual results: Plaintext password in the ks file. Expected results: At least a warning on the password-entry form that the password will go into the file. Better would be an option to prevent saving the password. Additional info:
The anaconda-ks.cfg file is safely stored in root's home directory which has 0700 permissions, while the file itself is given 0600 permissions. Note that other passwords are stored in the anaconda-ks.cfg file too.