Description of problem: After performing a wireless network install with the F14 Beta RC3 boot media, file keys-wlan0 is world readable ("-rw-r--r--.") which obviously represents a security risk. The encryption key had been provided as an argument to the installer according to "wepkey=<this_wep_key>". Version-Release number of selected component (if applicable): anaconda-14.17.4-1.fc14 How reproducible: Always. Steps to Reproduce: 1. Perform a wireless network install over a WEP encrypted network. 2. Check file attributes of /etc/sysconfig/network-scripts/keys-wlan0. Actual results: File attributes read "-rw-r--r--." Expected results: File attributes ressemble "-rw-------." Additional info: When a duplicate of the same wireless connection is created by means of system-config-network, then the file attributes of keys-wlan0 are "-rw-------." which appears to be correct. Installed packages include system-config-network-1.6.1-1.fc14.
Thanks for the report. This updates image should fix it: http://rvykydal.fedorapeople.org/updates.wepkey.img Unfortunately, I can't test the fix locally as I don't have wireless set up here, could you give it a try?
Running the Fedora 14 Beta RC3 netinst.iso, and adding "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img" to the installer options, I obtain INFO loader: transferring http://rvykydal.fedorapeople.org/updates.wepkey.img ERR loader: failed to mount loopback device /dev/loop7 on /tmp/update-disk as /tmp/updates.img: mount: you must specify the filesystem type Furthermore, /tmp/update-disk: total 0 and /tmp/updates: total 0 drwxrwxr-x. 2 500 500 1700 Sep 27 15:11 pyanaconda -rw-rw-r--. 1 500 500 0 Sep 22 13:07 updates.wepkey.img At this point, I decided to abort the install since it looks as whether "updates.wepkey.img" would not have been applied anyway. Is that correct?
(In reply to comment #2) > Running the Fedora 14 Beta RC3 netinst.iso, and adding > "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img" to the installer > options, I obtain > > INFO loader: transferring http://rvykydal.fedorapeople.org/updates.wepkey.img > ERR loader: failed to mount loopback device /dev/loop7 on /tmp/update-disk as > /tmp/updates.img: mount: you must specify the filesystem type > The message is irrelevant. > Furthermore, > > /tmp/update-disk: > total 0 > > and > > /tmp/updates: > total 0 > drwxrwxr-x. 2 500 500 1700 Sep 27 15:11 pyanaconda > -rw-rw-r--. 1 500 500 0 Sep 22 13:07 updates.wepkey.img > > At this point, I decided to abort the install since it looks as whether > "updates.wepkey.img" would not have been applied anyway. Is that correct? No, updates would be applied, I believe /tmp/updates/pyanaconda/network.py is there.
After installing system from scratch using "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img", file attributes of /etc/sysconfig/network-scripts/keys-wlan0 still read "-rw-r--r--".
(In reply to comment #4) > After installing system from scratch using > "updates=http://rvykydal.fedorapeople.org/updates.wepkey.img", file attributes > of /etc/sysconfig/network-scripts/keys-wlan0 still read "-rw-r--r--". Can you please post /var/log/anaconda.log from installed system form comment #4? I can't figure out what might have gone wrong. I have suspicion that the updates image really was not applied (although what you describe in comment #2 is ok).
(In reply to comment #5) > (In reply to comment #4) > > Can you please post /var/log/anaconda.log from installed system form comment > #4? I can't figure out what might have gone wrong. I have suspicion that the > updates image really was not applied (although what you describe in comment #2 > is ok). It is no longer needed, Finally I was able to set up my own testing environment and I am seeing the same result as you. Thanks for your testing.
Proposing as F14 Blocker with hope for Nice To Have. I am not sure how serious this security issue really is. The fix is well isolated and safe. The patch: https://www.redhat.com/archives/anaconda-devel-list/2010-October/msg00029.html
Discussed at the 2010-10-08 blocker review meeting. Accepted as a blocker under the "# A bug in a Critical Path package that: * Cannot be fixed with a future rawhide update * Has a severity rating of high or greater and no reasonable workaround (see definition of severity and priority) " catch-all.
This should be fixed in anaconda 14.19-1.
anaconda-14.19-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/anaconda-14.19-1.fc14
anaconda-14.19-1.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update anaconda'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/anaconda-14.19-1.fc14
anaconda-14.20-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/anaconda-14.20-1.fc14
anaconda-14.21-1.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/anaconda-14.21-1.fc14
Joachim, could you please test the fix with F14 Final TC1.1?
I did a net install from scratch using http://alt.fedoraproject.org/pub/alt/stage/14.TC1.1/Fedora/x86_64/iso/Fedora-14-x86_64-netinst.iso on Oct 16, 2010. Resulting attributes of /etc/sysconfig/network-scripts/keys-wlan0 are "-rw-------." Log file /tmp/anaconda.log reports "anaconda version 14.19".
thanks, setting VERIFIED. -- Fedora Bugzappers volunteer triage team https://fedoraproject.org/wiki/BugZappers
anaconda-14.21-1.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.