1719327 – Passwords saved in clear-text variable files during HE deployment via cockpit-ovirt

Bug 1719327 - Passwords saved in clear-text variable files during HE deployment via cockpit-ovirt

Summary: Passwords saved in clear-text variable files during HE deployment via cockpit...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	cockpit-ovirt
Sub Component:
Version:	4.3.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	ovirt-4.3.5
Target Release:	---
Assignee:	Ido Rosenzwig
QA Contact:	Wei Wang
Docs Contact:
URL:
Whiteboard:
Depends On:	1703678
Blocks:
TreeView+	depends on / blocked

Reported:	2019-06-11 14:07 UTC by Ido Rosenzwig
Modified:	2022-07-09 14:12 UTC (History)
CC List:	16 users (show)
Fixed In Version:	cockpit-ovirt-0.13.2
Doc Type:	Bug Fix
Doc Text:	Cause: Passwords was saved in a clear text file during the deployment process. at the end of the deployment the file was erased Consequence: passwords were readable for some amount of time Fix: passwords removed from the file Result: the passwords aren't readable during the deployment.
Clone Of:	1703678
Environment:
Last Closed:	2019-08-12 11:53:51 UTC
oVirt Team:	Integration
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHV-47450	None	None	None	2022-07-09 14:12:27 UTC
Red Hat Product Errata	RHSA-2019:2433	None	None	None	2019-08-12 11:54:01 UTC
oVirt gerrit	100255	'None'	'MERGED'	'Use named pipe for sensitive variables'	2019-12-09 04:37:16 UTC
oVirt gerrit	100273	'None'	'MERGED'	'Use named pipe for sensitive variables'	2019-12-09 04:37:16 UTC
oVirt gerrit	100274	'None'	'MERGED'	'Filter passwords from the log files'	2019-12-09 04:37:16 UTC
oVirt gerrit	100277	'None'	'MERGED'	'Filter passwords from the log files'	2019-12-09 04:37:16 UTC
oVirt gerrit	100310	'None'	'MERGED'	'Use cockpit API to send sensitive data to the named pipe'	2019-12-09 04:37:16 UTC
oVirt gerrit	100311	'None'	'MERGED'	'Use cockpit API to send sensitive data to the named pipe'	2019-12-09 04:37:17 UTC

Comment 11 Sandro Bonazzola 2019-06-14 09:54:10 UTC

Fixed in upstream cockpit-ovirt-0.13.2

Comment 16 Wei Wang 2019-06-14 10:04:40 UTC

QE will verify it until getting new build.

Comment 17 Wei Wang 2019-06-21 06:44:30 UTC

Test Version
RHVH-4.3-20190620.7-RHVH-x86_64-dvd1.iso
cockpit-system-195-1.el7.noarch
cockpit-195-1.el7.x86_64
cockpit-bridge-195-1.el7.x86_64
cockpit-ws-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-dashboard-195-1.el7.x86_64
cockpit-storaged-195-1.el7.noarch
cockpit-ovirt-dashboard-0.13.2-2.el7ev.noarch

Test Steps:
According to comment 0

Result:
Application password and admin password are not in clear-text.
[root@dell-perxxx-xx ~]# cat /var/lib/ovirt-hosted-engine-setup/cockpit/ansibleVarFileHThRJZ.var
he_local_vm_dir_path: /var/tmp
he_local_vm_dir_prefix: localvm
he_filtered_tokens_vars: ['ADMIN_PASSWORD','APPLIANCE_PASSWORD','ISCSI_PASSWORD','ISCSI_DISCOVER_PASSWORD','ROOTPWD','he_appliance_password','he_admin_password','he_iscsi_password','he_iscsi_discover_password','ansible_ssh_pass']
he_filtered_tokens_re: ['BEGIN PRIVATE KEY(?P<filter>.*)END PRIVATE KEY']
he_enable_hc_gluster_service: false
he_bridge_if: em1
he_bridge: ovirtmgmt
he_fqdn: rhevh-hostedengine-vm-xx.lab.eng.pek2.redhat.com
he_host_address: dell-perxxx-xx.lab.eng.pek2.redhat.com
he_vcpus: 4
he_maxvcpus: 24
he_cpu_sockets: 1
he_emulated_machine: null
he_vm_uuid: 169bf9f7-a3c5-468d-90ac-f6631fa0e7e7
he_vm_mac_addr: "52:54:00:34:04:b0"
he_mem_size_MB: 16384
he_vm_ip_addr: null
he_vm_ip_prefix: null
he_time_zone: Asia/Shanghai 
he_appliance_ova: null
he_cloud_init_host_name: rhevh-hostedengine-vm-xx
he_cloud_init_domain_name: lab.eng.pek2.redhat.com
he_root_ssh_pubkey: null
he_root_ssh_access: "yes"
he_vm_etc_hosts: true
he_apply_openscap_profile: false
he_cdrom_uuid: null
he_cdrom: null
he_nic_uuid: null
he_console_uuid: null
he_video_device: vga
he_graphics_device: vnc
he_vm_name: HostedEngine
he_enable_libgfapi: null
he_host_name: dell-perxxx-xx.lab.eng.pek2.redhat.com
he_console_type: vnc
he_cpu_type: model_Conroe


QE cannot reproduce this bug, verified.

Comment 20 errata-xmlrpc 2019-08-12 11:53:51 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2433

Note You need to log in before you can comment on or make changes to this bug.