| commit | d40ec8e9d8e8222196f5f7f60b38983489794a67 | |
| author | Tomas Hoger <thoger@redhat.com> | |
| Thu, 23 May 2013 12:56:11 +0000 (23 05:56 -0700) | ||
| committer | Brian C. Lane <bcl@redhat.com> | |
| Thu, 23 May 2013 13:16:10 +0000 (23 06:16 -0700) | ||
| tree | ede002d825290e3e114868f8f215e6e56d288c86 | treesnapshot (tar.gz zip) |
| parent | 7709a83f722ce314ab762581a1170ec8241cbd5b | commitdiff |
Avoid setting empty root password (#964299)
When using kickstart with no rootpw command, imgcreate ended up calling
"passwd -d root", leaving the root account password-less. That may lead to
local or remote privilege escalation.
This change does the following:
1) There's no password manipulation done when password is empty string and
rootpw was not called with --iscrypted
2) Password is locked when "rootpw --lock" is used
Notes:
Users can still shoot themselves in a foot by using: rootpw --iscrypted ""
Resolves: rhbz#964299 (CVE-2013-2069)
Signed-off-by: Brian C. Lane <bcl@redhat.com>
When using kickstart with no rootpw command, imgcreate ended up calling
"passwd -d root", leaving the root account password-less. That may lead to
local or remote privilege escalation.
This change does the following:
1) There's no password manipulation done when password is empty string and
rootpw was not called with --iscrypted
2) Password is locked when "rootpw --lock" is used
Notes:
Users can still shoot themselves in a foot by using: rootpw --iscrypted ""
Resolves: rhbz#964299 (CVE-2013-2069)
Signed-off-by: Brian C. Lane <bcl@redhat.com>
| imgcreate/kickstart.py | diffblobblamehistory |