644305 – Password is visible to non-root users

Bug 644305 - Password is visible to non-root users

Summary: Password is visible to non-root users

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	iodine
Sub Component:
Version:	el5
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Pavel Alexeev
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-10-19 11:47 UTC by Andy Shevchenko
Modified:	2010-11-26 16:58 UTC (History)
CC List:	2 users (show)
Fixed In Version:	iodine-0.6.0-0.rc1.6.el5
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-11-19 22:34:42 UTC
Type:	---
Embargoed:

Attachments	(Terms of Use)

Description Andy Shevchenko 2010-10-19 11:47:16 UTC

Description of problem:
The iodine-server and iodine-client files in the /etc/sysconfig are visible by non-root users.
The impact of that is the password leakage.
So, this is kinda security bug.

Version-Release number of selected component (if applicable):
Official EPEL5.

Comment 1 Pavel Alexeev 2010-10-23 17:08:30 UTC

Firstly thank you for the bugreport.

Most of files in /etc/sysconfig is readable by regular user.
In fact base way provide passwords in command line absolutely is not safe because it potentially accessible through process list. So, change permission on that files nothing does unfortunately.

If you want truly security way you should ask upstream to add f.e. PKI support, or at least (by example VNC) - support read password from provided file.

Comment 2 Andy Shevchenko 2010-10-25 06:58:02 UTC

We are talking about the iodine(d) itself. The others have their own issues.

So, iodine(d) has no security problems with the password visibility (check process tree please) until you introduced the wrong permissions to the file.

Comment 3 Fedora Update System 2010-11-11 05:57:13 UTC

iodine-0.6.0-0.rc1.6.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.el5

Comment 4 Fedora Update System 2010-11-11 06:08:07 UTC

iodine-0.6.0-0.rc1.6.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.fc12

Comment 5 Fedora Update System 2010-11-11 06:12:51 UTC

iodine-0.6.0-0.rc1.6.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.fc13

Comment 6 Fedora Update System 2010-11-11 16:38:39 UTC

iodine-0.6.0-0.rc1.6.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update iodine'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.el5

Comment 7 Fedora Update System 2010-11-19 22:34:22 UTC

iodine-0.6.0-0.rc1.6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2010-11-19 22:38:23 UTC

iodine-0.6.0-0.rc1.6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2010-11-26 16:58:19 UTC

iodine-0.6.0-0.rc1.6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.