1630536 – yum repos password stored as cleartext

Bug 1630536 - yum repos password stored as cleartext

Summary: yum repos password stored as cleartext

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Satellite
Classification:	Red Hat
Component:	Repositories
Sub Component:
Version:	6.4.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	6.8.0
Assignee:	Ian Ballou
QA Contact:	Stephen Wadeley
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	1868697 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-09-18 21:29 UTC by Stephen Wadeley
Modified:	2023-09-07 19:23 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-10-27 12:57:59 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Audit log shows redacted password (62.78 KB, image/png) 2020-09-01 07:46 UTC, Stephen Wadeley	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Foreman Issue Tracker	28112	Normal	Closed	yum repos password stored as cleartext in audits	2021-01-24 12:25:23 UTC
Foreman Issue Tracker	29931	Normal	Closed	Root repository upstream password saved in clear text	2021-01-24 12:25:23 UTC
Foreman Issue Tracker	30064	Normal	Closed	RootRepository password length too short	2021-01-24 12:25:23 UTC
Red Hat Knowledge Base (Solution)	4520651	None	None	None	2019-10-22 15:16:43 UTC
Red Hat Product Errata	RHSA-2020:4366	None	None	None	2020-10-27 12:58:18 UTC

Description Stephen Wadeley 2018-09-18 21:29:03 UTC

Description of problem:

When you set a password for a repo in "Upstream Password" field, it appears in cleartext in the audit logs.

Due to:

Bug 1630535 - admin password is added to yum repo config

 the admin password can end up in the audit logs.


Version-Release number of selected component (if applicable):

~]# rpm -q satellite
satellite-6.4.0-14.el7sat.noarch

How reproducible:


Steps to Reproduce:
1. Products > Repositories
2. Create a custom product with a yum repository.
3. Add a password to "Upstream Password"
4. Check the audit logs

Actual results:

Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to changeme
    Checksum type changed from sha256 to sha1

Expected results:

Admin (10.40.205.48) updated Katello/Repository: Test BZ1625264

    Upstream password changed from [empty] to [redacted]
    Checksum type changed from sha256 to sha1

Comment 2 Brad Buckingham 2018-09-21 15:37:21 UTC

Note: this will likely apply to password on any content types.

Comment 7 Kavita 2019-10-23 07:19:16 UTC

Created redmine issue https://projects.theforeman.org/issues/28112 from this bug

Comment 8 Nagoor Shaik 2019-10-23 09:02:05 UTC

Current Workaround until we come up with an official fix

To exclude the "Upstream Password" from capturing in Audit entries

 # vi /opt/theforeman/tfm/root/usr/share/gems/gems/katello-*/app/models/katello/root_repository.rb

  Replace this line 
  ~~~
  audited
  ~~~
 
  with
 
  ~~~   
  audited :except => [:upstream_password]
  ~~~

 # systemctl restart httpd

Comment 11 piytiwar 2020-05-20 18:55:36 UTC

Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug

Comment 12 Partha Aji 2020-05-20 18:55:56 UTC

Connecting redmine issue https://projects.theforeman.org/issues/29896 from this bug

Comment 13 Partha Aji 2020-05-26 16:22:06 UTC

Connecting redmine issue https://projects.theforeman.org/issues/29931 from this bug

Comment 16 Bryan Kearney 2020-08-17 18:54:59 UTC

Connecting redmine issue https://projects.theforeman.org/issues/30064 from this bug

Comment 17 Bryan Kearney 2020-08-17 18:55:23 UTC

Moving this bug to POST for triage into Satellite since the upstream issue https://projects.theforeman.org/issues/30064 has been resolved.

Comment 18 Justin Sherrill 2020-08-20 17:56:57 UTC

This is already in the 6.8.0 snaps

Comment 19 Justin Sherrill 2020-08-20 18:10:30 UTC

*** Bug 1868697 has been marked as a duplicate of this bug. ***

Comment 20 Stephen Wadeley 2020-09-01 07:46:40 UTC

Created attachment 1713255 [details]
Audit log shows redacted password

Hello

Testing on snap 12

[root@dell-r330-12 ~]# rpm -q satellite
satellite-6.8.0-1.el7sat.noarch

Followed procedure as per comment 0

Navigate Monitor > Audit logs

look for
create KATELLO/ROOT REPOSITORY test_repo

click triangle icon to expand

See:
Upstream password [redacted]

Thank you

Comment 23 errata-xmlrpc 2020-10-27 12:57:59 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366

Note You need to log in before you can comment on or make changes to this bug.