Bug 1630536 - yum repos password stored as cleartext
Summary: yum repos password stored as cleartext
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Repositories
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: 6.8.0
Assignee: Ian Ballou
QA Contact: Stephen Wadeley
: 1868697 (view as bug list)
Depends On:
TreeView+ depends on / blocked
Reported: 2018-09-18 21:29 UTC by Stephen Wadeley
Modified: 2020-11-20 17:35 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2020-10-27 12:57:59 UTC
Target Upstream Version:

Attachments (Terms of Use)
Audit log shows redacted password (62.78 KB, image/png)
2020-09-01 07:46 UTC, Stephen Wadeley
no flags Details

System ID Priority Status Summary Last Updated
Foreman Issue Tracker 28112 Normal Closed yum repos password stored as cleartext in audits 2020-11-20 16:18:03 UTC
Foreman Issue Tracker 29931 Normal Closed Root repository upstream password saved in clear text 2020-11-20 16:18:02 UTC
Foreman Issue Tracker 30064 Normal Closed RootRepository password length too short 2020-11-20 16:17:40 UTC
Red Hat Knowledge Base (Solution) 4520651 None None None 2019-10-22 15:16:43 UTC
Red Hat Product Errata RHSA-2020:4366 None None None 2020-10-27 12:58:18 UTC

Description Stephen Wadeley 2018-09-18 21:29:03 UTC
Description of problem:

When you set a password for a repo in "Upstream Password" field, it appears in cleartext in the audit logs.

Due to:

Bug 1630535 - admin password is added to yum repo config

 the admin password can end up in the audit logs.

Version-Release number of selected component (if applicable):

~]# rpm -q satellite

How reproducible:

Steps to Reproduce:
1. Products > Repositories
2. Create a custom product with a yum repository.
3. Add a password to "Upstream Password"
4. Check the audit logs

Actual results:

Admin ( updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to changeme
    Checksum type changed from sha256 to sha1

Expected results:

Admin ( updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to [redacted]
    Checksum type changed from sha256 to sha1

Comment 2 Brad Buckingham 2018-09-21 15:37:21 UTC
Note: this will likely apply to password on any content types.

Comment 7 Kavita 2019-10-23 07:19:16 UTC
Created redmine issue https://projects.theforeman.org/issues/28112 from this bug

Comment 8 Nagoor Shaik 2019-10-23 09:02:05 UTC
Current Workaround until we come up with an official fix

To exclude the "Upstream Password" from capturing in Audit entries

 # vi /opt/theforeman/tfm/root/usr/share/gems/gems/katello-*/app/models/katello/root_repository.rb

  Replace this line 
  audited :except => [:upstream_password]

 # systemctl restart httpd

Comment 11 piytiwar 2020-05-20 18:55:36 UTC
Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug

Comment 12 Partha Aji 2020-05-20 18:55:56 UTC
Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug

Comment 13 Partha Aji 2020-05-26 16:22:06 UTC
Connecting redmine issue https://projects.theforeman.org/issues/29931 from this bug

Comment 16 Bryan Kearney 2020-08-17 18:54:59 UTC
Connecting redmine issue https://projects.theforeman.org/issues/30064 from this bug

Comment 17 Bryan Kearney 2020-08-17 18:55:23 UTC
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30064 has been resolved.

Comment 18 Justin Sherrill 2020-08-20 17:56:57 UTC
This is already in the 6.8.0 snaps

Comment 19 Justin Sherrill 2020-08-20 18:10:30 UTC
*** Bug 1868697 has been marked as a duplicate of this bug. ***

Comment 20 Stephen Wadeley 2020-09-01 07:46:40 UTC
Created attachment 1713255 [details]
Audit log shows redacted password


Testing on snap 12

[root@dell-r330-12 ~]# rpm -q satellite

Followed procedure as per comment 0

Navigate Monitor > Audit logs

look for

click triangle icon to expand

Upstream password [redacted]

Thank you

Comment 23 errata-xmlrpc 2020-10-27 12:57:59 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.