31397 – Mageia installer leaves a copy of root password hash in /root/drakx/auto_inst.cfg.pl

Bug 31397 - Mageia installer leaves a copy of root password hash in /root/drakx/auto_inst.cfg.pl

Summary: Mageia installer leaves a copy of root password hash in /root/drakx/auto_inst...

Status:	NEW

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Installer (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	Mageia tools maintainers
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-01-12 11:57 CET by Paul Blackburn
Modified:	2023-01-13 18:14 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Paul Blackburn 2023-01-12 11:57:50 CET

Description of problem:

there appears to be a copy of the root password hash in /root/drakx/auto_inst.cfg.pl.

Directory permissions on /root and /root/drakx are good: root only access.
File permissions on /root/drakx/auto_inst.cfg.pl are 644. Probably better if set to 640 (provided that does not break anything).

# ls -ld /root /root/drakx /root/drakx/auto_inst.cfg.pl
drwxr-x--- 14 root root  4096 Jan  6 19:09 /root/
drwx------  2 root root  4096 Jul  9  2021 /root/drakx/
-rw-r--r--  1 root root 11249 Jul  9  2021 /root/drakx/auto_inst.cfg.pl

The password hash can be viewed (when authenticated as root) with: 

< /root/drakx/auto_inst.cfg.pl sed -n "/'superuser'/,/},/p"


I am wondering: is it needed to keep root password hash copy in /root/drakx /root/drakx/auto_inst.cfg.pl? 
Perhaps it would be better either removed or redacted in /auto_inst.cfg.pl after install is completed? 



Version-Release number of selected component (if applicable):


How reproducible: happens every time mageia is installed


Steps to Reproduce:
1.install mageia
2. examine /root/drakx/auto_inst.cfg.pl with:
< /root/drakx/auto_inst.cfg.pl sed -n "/'superuser'/,/},/p"
3.

Comment 1 Lewis Smith 2023-01-12 19:35:52 CET

Thank you for this detailed report.

Assigning forthwith to the Installer people.

Component: RPM Packages => Installer
Assignee: bugsquad => mageiatools

Comment 2 Martin Whitaker 2023-01-13 00:57:57 CET

I agree it would be better to set the file permissions to 640, but as the directory can only be accessed by root, I don't think it's a serious issue. I don't see a problem with the password hash being viewable by root, as the same hash is viewable in /etc/shadow.

auto_inst.cfg.pl is there to allow a system to be reinstalled without any manual input, so yes, the password hash is needed for that.

CC: (none) => mageia

Comment 3 Paul Blackburn 2023-01-13 15:37:42 CET

Hello Martin,

Please would you confirm: when install is completed and system rebooted there is no need to store a root password hash in /root/drakx/auto_inst.cfg.pl ?

I observe that after install and reboot, if the root password is changed then the root password hash in in /root/drakx/auto_inst.cfg.pl remains unchanged.

For me, there should only be one copy of the root password hash in /etc/shadow:

    grep root: /etc/shadow | awk -F: '{print $2}'

Comment 4 Pascal Terjan 2023-01-13 15:55:35 CET

The goal of /root/drakx/auto_inst.cfg.pl is to record all parameters of the install to allow reinstalling or installing another machine with the same parameters automatically.

That file is written when the install completes and is not used by anything unless you copy it somewhere to use it for installing.

See https://wiki.mageia.org/en/Auto_inst

CC: (none) => pterjan

Comment 5 Paul Blackburn 2023-01-13 18:14:55 CET

Salut Pascal

That sounds like a useful capability. Interesting wiki page for Auto_inst.

I do not need this so I will simply make sure I reset the root password after installation.

Merci
Cordialement

Note You need to log in before you can comment on or make changes to this bug.