Report forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>: Bug#402644; Package fai-client.
(full text, mbox, link).
Acknowledgement sent to "Justin R. Beckley" <jbeckley@ece.utk.edu>:
New Bug report received and forwarded. Copy sent to Thomas Lange <lange@debian.org>.
(full text, mbox, link).
Package: fai-client
Version: 2.10.1
If an install is in verbose mode, the root password hash is stored in /var/log/fai/current/fai.log.
When fai-savelog is called, it copies this log file to the newly installed host, leaving the hash in the file.
Thanks
Tags added: security
Request was from Holger Levsen <debian@layer-acht.org>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>: Bug#402644; Package fai-client.
(full text, mbox, link).
Acknowledgement sent to "Justin R. Beckley" <jbeckley@ece.utk.edu>:
Extra info received and forwarded to list. Copy sent to Thomas Lange <lange@debian.org>.
(full text, mbox, link).
save_log_local() {
...
...
mkdir -p $thislog
cp -a $LOGDIR/* $thislog
+ if [ $verbose -eq 1 ]
+ then
+ grep -v "rootpw=" $LOGDIR/fai.log > $thislog/fai.log
+ fi
ln -snf $HOSTNAME $logbase/localhost
ln -snf $FAI_ACTION-$FAI_RUNDATE $logbase/$HOSTNAME/last-$FAI_ACTION
...
...
}
Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>: Bug#402644; Package fai-client.
(full text, mbox, link).
Acknowledgement sent to Thomas Lange <lange@informatik.uni-koeln.de>:
Extra info received and forwarded to list. Copy sent to Thomas Lange <lange@debian.org>.
(full text, mbox, link).
From: Thomas Lange <lange@informatik.uni-koeln.de>
To: "Justin R. Beckley" <jbeckley@ece.utk.edu>, 402644@bugs.debian.org
Subject: Re: Bug#402644: My patch for this bug
Date: Tue, 12 Dec 2006 18:32:49 +0100
I agree that we do not need the hash in the local log files.
I wonder if it's a bug or a feature that we copy the hash (md5 by
default) of the rootpw to the remote location.
This fix may not be complete (depending on bug or feature that it's
copied to remote), since fai-savelog copies from $LOGDIR when
doing the remote copy and only $thislog/fai.log was cleaned up.
--
regards Thomas
Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>: Bug#402644; Package fai-client.
(full text, mbox, link).
Acknowledgement sent to Thomas Lange <lange@informatik.uni-koeln.de>:
Extra info received and forwarded to list. Copy sent to Thomas Lange <lange@debian.org>.
(full text, mbox, link).
From: Thomas Lange <lange@informatik.uni-koeln.de>
To: 402644@bugs.debian.org
Subject: Re: Bug#402644: My patch for this bug
Date: Wed, 13 Dec 2006 11:30:23 +0100
What do you think about making the the /var/log/fai directory read
only for root and the group adm? IMO this would fix the security
problem.
-
regards Thomas
Reply sent to Thomas Lange <lange@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to "Justin R. Beckley" <jbeckley@ece.utk.edu>:
Bug acknowledged by developer.
(full text, mbox, link).
Source: fai
Source-Version: 3.1.3
We believe that the bug you reported is fixed in the latest version of
fai, which is due to be installed in the Debian FTP archive:
fai-client_3.1.3_all.deb
to pool/main/f/fai/fai-client_3.1.3_all.deb
fai-doc_3.1.3_all.deb
to pool/main/f/fai/fai-doc_3.1.3_all.deb
fai-nfsroot_3.1.3_all.deb
to pool/main/f/fai/fai-nfsroot_3.1.3_all.deb
fai-quickstart_3.1.3_all.deb
to pool/main/f/fai/fai-quickstart_3.1.3_all.deb
fai-server_3.1.3_all.deb
to pool/main/f/fai/fai-server_3.1.3_all.deb
fai_3.1.3.dsc
to pool/main/f/fai/fai_3.1.3.dsc
fai_3.1.3.tar.gz
to pool/main/f/fai/fai_3.1.3.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 402644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Lange <lange@debian.org> (supplier of updated fai package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sun, 17 Dec 2006 17:40:54 +0100
Source: fai
Binary: fai-client fai-server fai-doc fai-quickstart fai-nfsroot
Architecture: source all
Version: 3.1.3
Distribution: unstable
Urgency: medium
Maintainer: Thomas Lange <lange@debian.org>
Changed-By: Thomas Lange <lange@debian.org>
Description:
fai-client - Fully Automatic Installation client package
fai-doc - Documentation for FAI
fai-nfsroot - Fully Automatic Installation nfsroot package
fai-quickstart - Fully Automatic Installation quickstart package
fai-server - Fully Automatic Installation server package
Closes: 402294402588402644
Changes:
fai (3.1.3) unstable; urgency=medium
.
* fai-savelog: fix a security tagged bug, make local copy of LOGDIR only
readable for root and group adm (closes: #402644)
* fai: add missing shift command (closes: #402588)
* fai.8: improve dirinstall info (closes: #402294)
* package_config/FAIBASE: add packages, this is only a documentation
change
Files:
95accfc87e1956290b917fe54fbd199e 639 admin extra fai_3.1.3.dsc
422ad99cc65074aedb32fd51aafab61b 193728 admin extra fai_3.1.3.tar.gz
44c04bf0282796afe57dd569209bd48a 98672 admin extra fai-client_3.1.3_all.deb
c4123354a610bf1ec060e0897b82d5f8 561800 doc extra fai-doc_3.1.3_all.deb
6785b04988a718c30feba31a9ef8c9e7 35830 admin extra fai-server_3.1.3_all.deb
53138d656f838433520d9cd80139fa14 1876 admin extra fai-quickstart_3.1.3_all.deb
3a0c3ece1f65515a680c1fc71975aa53 45048 admin extra fai-nfsroot_3.1.3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFFhXQG3BPlTqubZv0RAjHtAJ9PnGOgIkkgfETCZRxoG/TJLOxduQCgtBFA
w0BBiTYRfbb8v5vM3q85zfI=
=JaI3
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Mon, 25 Jun 2007 10:35:50 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.