Project

General

Profile

Actions

Bug #2069

closed

(encrypted) root passwords are world readable

Added by Andreas Rogge almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Security
Target version:
Difficulty:
medium
Triaged:
Fixed in Releases:
Found in Releases:

Description

This is related to #39.
Essentially I do ask for the same feature, but I believe it is not a feature request, but a major security issue.

Right now anyone can download the external nodes YAML without any limitation. For a really basic setup (that doesn't even use external nodes) it looks like this:

--
parameters:
puppetmaster: puppet.master.server.fqdn
owner_email:
foreman_env: &id001 production
owner_name: Admin User
root_pw: $1$GDJmRQFN$3hXafZx7hyZdbaL5q2Q8t1
classes: []

As you can see this makes the hash of the root password world readable.

The access to the external nodes script should be limited.
Maybe simply by checking the remote ip address against an array of configured addresses. We definitely need to set the default to no access.

We did move the password hashes from /etc/passwd to /etc/shadow in the early nineties by intent: they should not be world-readable.


Related issues 3 (1 open2 closed)

Related to Foreman - Bug #2121: Unauthenticated YAML fact and reports importers can be exploitedClosedDominic Cleal01/09/2013Actions
Related to Foreman - Feature #2127: Support newer hash schemes for root passwordsClosed01/15/2013Actions
Related to Foreman - Bug #3060: Remove YAML host permissions from basic users,New09/09/2013Actions
Actions

Also available in: Atom PDF