Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1630536 - yum repos password stored as cleartext
Summary: yum repos password stored as cleartext
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Satellite
Classification: Red Hat
Component: Repositories
Version: 6.4.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: 6.8.0
Assignee: Ian Ballou
QA Contact: Stephen Wadeley
URL:
Whiteboard:
: 1868697 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-09-18 21:29 UTC by Stephen Wadeley
Modified: 2023-09-07 19:23 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-10-27 12:57:59 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Audit log shows redacted password (62.78 KB, image/png)
2020-09-01 07:46 UTC, Stephen Wadeley 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Foreman Issue Tracker 28112 0 Normal Closed yum repos password stored as cleartext in audits 2021-01-24 12:25:23 UTC
Foreman Issue Tracker 29931 0 Normal Closed Root repository upstream password saved in clear text 2021-01-24 12:25:23 UTC
Foreman Issue Tracker 30064 0 Normal Closed RootRepository password length too short 2021-01-24 12:25:23 UTC
Red Hat Knowledge Base (Solution) 4520651 0 None None None 2019-10-22 15:16:43 UTC
Red Hat Product Errata RHSA-2020:4366 0 None None None 2020-10-27 12:58:18 UTC

Description Stephen Wadeley 2018-09-18 21:29:03 UTC 
Description of problem:

When you set a password for a repo in "Upstream Password" field, it appears in cleartext in the audit logs.

Due to:

Bug 1630535 - admin password is added to yum repo config

 the admin password can end up in the audit logs.


Version-Release number of selected component (if applicable):

~]# rpm -q satellite
satellite-6.4.0-14.el7sat.noarch

How reproducible:


Steps to Reproduce:
1. Products > Repositories
2. Create a custom product with a yum repository.
3. Add a password to "Upstream Password"
4. Check the audit logs

Actual results:

Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to changeme
    Checksum type changed from sha256 to sha1

Expected results:

Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to [redacted]
    Checksum type changed from sha256 to sha1
Comment 2 Brad Buckingham 2018-09-21 15:37:21 UTC 
Note: this will likely apply to password on any content types.
Comment 7 Kavita 2019-10-23 07:19:16 UTC 
Created redmine issue https://projects.theforeman.org/issues/28112 from this bug
Comment 8 Nagoor Shaik 2019-10-23 09:02:05 UTC 
Current Workaround until we come up with an official fix

To exclude the "Upstream Password" from capturing in Audit entries

 # vi /opt/theforeman/tfm/root/usr/share/gems/gems/katello-*/app/models/katello/root_repository.rb

  Replace this line 
  ~~~
  audited
  ~~~
 
  with
 
  ~~~   
  audited :except => [:upstream_password]
  ~~~

 # systemctl restart httpd
Comment 11 piytiwar 2020-05-20 18:55:36 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug
Comment 12 Partha Aji 2020-05-20 18:55:56 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug
Comment 13 Partha Aji 2020-05-26 16:22:06 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/29931 from this bug
Comment 16 Bryan Kearney 2020-08-17 18:54:59 UTC 
Connecting redmine issue https://projects.theforeman.org/issues/30064 from this bug
Comment 17 Bryan Kearney 2020-08-17 18:55:23 UTC 
Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30064 has been resolved.
Comment 18 Justin Sherrill 2020-08-20 17:56:57 UTC 
This is already in the 6.8.0 snaps
Comment 19 Justin Sherrill 2020-08-20 18:10:30 UTC 
*** Bug 1868697 has been marked as a duplicate of this bug. ***
Comment 20 Stephen Wadeley 2020-09-01 07:46:40 UTC 
Created attachment 1713255 [details]
Audit log shows redacted password

Hello

Testing on snap 12

[root@dell-r330-12 ~]# rpm -q satellite
satellite-6.8.0-1.el7sat.noarch

Followed procedure as per comment 0

Navigate Monitor > Audit logs

look for
create KATELLO/ROOT REPOSITORY test_repo

click triangle icon to expand

See:
Upstream password [redacted]

Thank you
Comment 23 errata-xmlrpc 2020-10-27 12:57:59 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366
Note You need to log in before you can comment on or make changes to this bug.