Bug 31397

Summary: Mageia installer leaves a copy of root password hash in /root/drakx/auto_inst.cfg.pl
Product: Mageia Reporter: Paul Blackburn <paul.blackburn>
Component: InstallerAssignee: Mageia tools maintainers <mageiatools>
Status: NEW --- QA Contact:
Severity: normal    
Priority: Normal CC: mageia, pterjan
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Paul Blackburn 2023-01-12 11:57:50 CET 
Description of problem:

there appears to be a copy of the root password hash in /root/drakx/auto_inst.cfg.pl.

Directory permissions on /root and /root/drakx are good: root only access.
File permissions on /root/drakx/auto_inst.cfg.pl are 644. Probably better if set to 640 (provided that does not break anything).

# ls -ld /root /root/drakx /root/drakx/auto_inst.cfg.pl
drwxr-x--- 14 root root  4096 Jan  6 19:09 /root/
drwx------  2 root root  4096 Jul  9  2021 /root/drakx/
-rw-r--r--  1 root root 11249 Jul  9  2021 /root/drakx/auto_inst.cfg.pl

The password hash can be viewed (when authenticated as root) with: 

< /root/drakx/auto_inst.cfg.pl sed -n "/'superuser'/,/},/p"


I am wondering: is it needed to keep root password hash copy in /root/drakx /root/drakx/auto_inst.cfg.pl? 
Perhaps it would be better either removed or redacted in /auto_inst.cfg.pl after install is completed? 



Version-Release number of selected component (if applicable):


How reproducible: happens every time mageia is installed


Steps to Reproduce:
1.install mageia
2. examine /root/drakx/auto_inst.cfg.pl with:
< /root/drakx/auto_inst.cfg.pl sed -n "/'superuser'/,/},/p"
3.
Comment 1 Lewis Smith 2023-01-12 19:35:52 CET 
Thank you for this detailed report.

Assigning forthwith to the Installer people.

Component: RPM Packages => Installer
Assignee: bugsquad => mageiatools

Comment 2 Martin Whitaker 2023-01-13 00:57:57 CET 
I agree it would be better to set the file permissions to 640, but as the directory can only be accessed by root, I don't think it's a serious issue. I don't see a problem with the password hash being viewable by root, as the same hash is viewable in /etc/shadow.

auto_inst.cfg.pl is there to allow a system to be reinstalled without any manual input, so yes, the password hash is needed for that.

CC: (none) => mageia

Comment 3 Paul Blackburn 2023-01-13 15:37:42 CET 
Hello Martin,

Please would you confirm: when install is completed and system rebooted there is no need to store a root password hash in /root/drakx/auto_inst.cfg.pl ?

I observe that after install and reboot, if the root password is changed then the root password hash in in /root/drakx/auto_inst.cfg.pl remains unchanged.

For me, there should only be one copy of the root password hash in /etc/shadow:

    grep root: /etc/shadow | awk -F: '{print $2}'
Comment 4 Pascal Terjan 2023-01-13 15:55:35 CET 
The goal of /root/drakx/auto_inst.cfg.pl is to record all parameters of the install to allow reinstalling or installing another machine with the same parameters automatically.

That file is written when the install completes and is not used by anything unless you copy it somewhere to use it for installing.

See https://wiki.mageia.org/en/Auto_inst

CC: (none) => pterjan

Comment 5 Paul Blackburn 2023-01-13 18:14:55 CET 
Salut Pascal

That sounds like a useful capability. Interesting wiki page for Auto_inst.

I do not need this so I will simply make sure I reset the root password after installation.

Merci
Cordialement