Red Hat Bugzilla – Bug 157563
Anaconda quietly saves the FTP password
Last modified: 2007-11-30 17:11:05 EST
Description of problem:
When installing via FTP to a real account, Anaconda masks the password, leading
the user to believe it will use reasonable care with the password. However, it
silently saves the password to /root/anaconda-ks.cfg on the installed system.
This can easily lead to unintended disclosure of the password.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Select FTP install,`non-anonymous FTP'.
2. Proceed with install.
3. Inspect /root/anaconda-ks.cfg
Plaintext password in the ks file.
At least a warning on the password-entry form that the password will go into the
file. Better would be an option to prevent saving the password.
The anaconda-ks.cfg file is safely stored in root's home directory which has
0700 permissions, while the file itself is given 0600 permissions. Note that
other passwords are stored in the anaconda-ks.cfg file too.