Description of problem: there appears to be a copy of the root password hash in /root/drakx/auto_inst.cfg.pl. Directory permissions on /root and /root/drakx are good: root only access. File permissions on /root/drakx/auto_inst.cfg.pl are 644. Probably better if set to 640 (provided that does not break anything). # ls -ld /root /root/drakx /root/drakx/auto_inst.cfg.pl drwxr-x--- 14 root root 4096 Jan 6 19:09 /root/ drwx------ 2 root root 4096 Jul 9 2021 /root/drakx/ -rw-r--r-- 1 root root 11249 Jul 9 2021 /root/drakx/auto_inst.cfg.pl The password hash can be viewed (when authenticated as root) with: < /root/drakx/auto_inst.cfg.pl sed -n "/'superuser'/,/},/p" I am wondering: is it needed to keep root password hash copy in /root/drakx /root/drakx/auto_inst.cfg.pl? Perhaps it would be better either removed or redacted in /auto_inst.cfg.pl after install is completed? Version-Release number of selected component (if applicable): How reproducible: happens every time mageia is installed Steps to Reproduce: 1.install mageia 2. examine /root/drakx/auto_inst.cfg.pl with: < /root/drakx/auto_inst.cfg.pl sed -n "/'superuser'/,/},/p" 3.
Thank you for this detailed report. Assigning forthwith to the Installer people.
Component: RPM Packages => InstallerAssignee: bugsquad => mageiatools
I agree it would be better to set the file permissions to 640, but as the directory can only be accessed by root, I don't think it's a serious issue. I don't see a problem with the password hash being viewable by root, as the same hash is viewable in /etc/shadow. auto_inst.cfg.pl is there to allow a system to be reinstalled without any manual input, so yes, the password hash is needed for that.
CC: (none) => mageia
Hello Martin, Please would you confirm: when install is completed and system rebooted there is no need to store a root password hash in /root/drakx/auto_inst.cfg.pl ? I observe that after install and reboot, if the root password is changed then the root password hash in in /root/drakx/auto_inst.cfg.pl remains unchanged. For me, there should only be one copy of the root password hash in /etc/shadow: grep root: /etc/shadow | awk -F: '{print $2}'
The goal of /root/drakx/auto_inst.cfg.pl is to record all parameters of the install to allow reinstalling or installing another machine with the same parameters automatically. That file is written when the install completes and is not used by anything unless you copy it somewhere to use it for installing. See https://wiki.mageia.org/en/Auto_inst
CC: (none) => pterjan
Salut Pascal That sounds like a useful capability. Interesting wiki page for Auto_inst. I do not need this so I will simply make sure I reset the root password after installation. Merci Cordialement