Created attachment 1450029 [details] Snapshot of the password being printed out just before shutdown Description of problem: As far as experimented, this happens only after a fresh installation of Fedora; however, since as the result the root password is printed out at shutdown, it can be considered a potentially serious vulnerability. Version-Release number of selected component (if applicable): N.A. How reproducible: very reproducible Steps to Reproduce: 1. After installation of Fedora completes, boot into the fresh system. 2. The user is now asked for the initial configuration including creating a user account and specifying a password for it. 3. Right after finishing the configuration as guided by Fedora, proceed with a restart or a shutdown. 4. On the resulting black screen, a number of system messages are printed out. The very last line is the root password that is printed (see the attachment) Actual results: - Expected results: - Additional info: The printed password can be seen in the attached snapshot. The root password in this case was set to be romeoAs452.
Hmm, how exactly did you install Fedora (the image name incl. version would be best). When "user is now asked for the initial configuration", do you mean by aconda (the installer, graphically,), or by systemd-firstboot (a text prompt on the console)?
(In reply to Zbigniew Jędrzejewski-Szmek from comment #1) > Hmm, how exactly did you install Fedora (the image name incl. version would > be best). > > When "user is now asked for the initial configuration", do you mean by > aconda (the installer, graphically,), or by systemd-firstboot (a text prompt > on the console)? To the first question: I used Fedora-Workstation-Live-x86_64-28-1.1.iso from Fedora's download page and wrote the image on a USB stick which I then used for the installation. To answer the second question, I did the initial configuration graphically via Anaconda.
Thanks. Systemd has its own password reading and writing code, which could be used if the machine is booted completely unconfigured. But if you're using anaconda, then that code is not used at all, and most likely systemd is not touching the passwords at all. I'll reassign this to anaconda for comments.
(In reply to Zbigniew Jędrzejewski-Szmek from comment #3) > Thanks. Systemd has its own password reading and writing code, which could > be used if the machine is booted completely unconfigured. But if you're > using anaconda, then that code is not used at all, and most likely systemd > is not touching the passwords at all. I'll reassign this to anaconda for > comments. I see; thank you too.
Plymouth could also be involved. It would be interesting to check if this happens with 'plymouth.enable=0' on the kernel commandline.
This message is a reminder that Fedora 28 is nearing its end of life. On 2019-May-28 Fedora will stop maintaining and issuing updates for Fedora 28. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '28'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 28 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 28 changed to end-of-life (EOL) status on 2019-05-28. Fedora 28 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.