Debian Bug report logs - #402644
Root password hash in fai.log

version graph

Package: fai-client; Maintainer for fai-client is Thomas Lange <lange@debian.org>; Source for fai-client is src:fai (PTS, buildd, popcon).

Reported by: "Justin R. Beckley" <jbeckley@ece.utk.edu>

Date: Mon, 11 Dec 2006 20:48:12 UTC

Severity: normal

Tags: security

Found in version fai/2.10.1

Fixed in version fai/3.1.3

Done: Thomas Lange <lange@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>:
Bug#402644; Package fai-client. (full text, mbox, link).


Acknowledgement sent to "Justin R. Beckley" <jbeckley@ece.utk.edu>:
New Bug report received and forwarded. Copy sent to Thomas Lange <lange@debian.org>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Justin R. Beckley" <jbeckley@ece.utk.edu>
To: submit@bugs.debian.org
Subject: Root password hash in fai.log
Date: Mon, 11 Dec 2006 15:24:43 -0500
Package: fai-client
Version: 2.10.1

If an install is in verbose mode, the root password hash is stored in /var/log/fai/current/fai.log.
When fai-savelog is called, it copies this log file to the newly installed host, leaving the hash in the file.

Thanks




Tags added: security Request was from Holger Levsen <debian@layer-acht.org> to control@bugs.debian.org. (full text, mbox, link).


Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>:
Bug#402644; Package fai-client. (full text, mbox, link).


Acknowledgement sent to "Justin R. Beckley" <jbeckley@ece.utk.edu>:
Extra info received and forwarded to list. Copy sent to Thomas Lange <lange@debian.org>. (full text, mbox, link).


Message #12 received at 402644@bugs.debian.org (full text, mbox, reply):

From: "Justin R. Beckley" <jbeckley@ece.utk.edu>
To: 402644@bugs.debian.org
Subject: My patch for this bug
Date: Tue, 12 Dec 2006 11:15:56 -0500
save_log_local() {
...
...
mkdir -p $thislog
cp -a $LOGDIR/* $thislog
+ if [ $verbose -eq 1 ]
+ then
+   grep -v "rootpw=" $LOGDIR/fai.log > $thislog/fai.log
+ fi
ln -snf $HOSTNAME $logbase/localhost
ln -snf $FAI_ACTION-$FAI_RUNDATE $logbase/$HOSTNAME/last-$FAI_ACTION
...
...
}



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>:
Bug#402644; Package fai-client. (full text, mbox, link).


Acknowledgement sent to Thomas Lange <lange@informatik.uni-koeln.de>:
Extra info received and forwarded to list. Copy sent to Thomas Lange <lange@debian.org>. (full text, mbox, link).


Message #17 received at 402644@bugs.debian.org (full text, mbox, reply):

From: Thomas Lange <lange@informatik.uni-koeln.de>
To: "Justin R. Beckley" <jbeckley@ece.utk.edu>, 402644@bugs.debian.org
Subject: Re: Bug#402644: My patch for this bug
Date: Tue, 12 Dec 2006 18:32:49 +0100
I agree that we do not need the hash in the local log files.

I wonder if it's a bug or a feature that we copy the hash (md5 by
default) of the rootpw to the remote location.

This fix may not be complete (depending on bug or feature that it's
copied to remote), since fai-savelog copies from $LOGDIR when
doing the remote copy and only $thislog/fai.log was cleaned up.

-- 
regards Thomas



Information forwarded to debian-bugs-dist@lists.debian.org, Thomas Lange <lange@debian.org>:
Bug#402644; Package fai-client. (full text, mbox, link).


Acknowledgement sent to Thomas Lange <lange@informatik.uni-koeln.de>:
Extra info received and forwarded to list. Copy sent to Thomas Lange <lange@debian.org>. (full text, mbox, link).


Message #22 received at 402644@bugs.debian.org (full text, mbox, reply):

From: Thomas Lange <lange@informatik.uni-koeln.de>
To: 402644@bugs.debian.org
Subject: Re: Bug#402644: My patch for this bug
Date: Wed, 13 Dec 2006 11:30:23 +0100
What do you think about making the the /var/log/fai directory read
only for root and the group adm? IMO this would fix the security
problem. 

- 
regards Thomas



Reply sent to Thomas Lange <lange@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to "Justin R. Beckley" <jbeckley@ece.utk.edu>:
Bug acknowledged by developer. (full text, mbox, link).


Message #27 received at 402644-close@bugs.debian.org (full text, mbox, reply):

From: Thomas Lange <lange@debian.org>
To: 402644-close@bugs.debian.org
Subject: Bug#402644: fixed in fai 3.1.3
Date: Tue, 19 Dec 2006 12:17:02 +0000
Source: fai
Source-Version: 3.1.3

We believe that the bug you reported is fixed in the latest version of
fai, which is due to be installed in the Debian FTP archive:

fai-client_3.1.3_all.deb
  to pool/main/f/fai/fai-client_3.1.3_all.deb
fai-doc_3.1.3_all.deb
  to pool/main/f/fai/fai-doc_3.1.3_all.deb
fai-nfsroot_3.1.3_all.deb
  to pool/main/f/fai/fai-nfsroot_3.1.3_all.deb
fai-quickstart_3.1.3_all.deb
  to pool/main/f/fai/fai-quickstart_3.1.3_all.deb
fai-server_3.1.3_all.deb
  to pool/main/f/fai/fai-server_3.1.3_all.deb
fai_3.1.3.dsc
  to pool/main/f/fai/fai_3.1.3.dsc
fai_3.1.3.tar.gz
  to pool/main/f/fai/fai_3.1.3.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 402644@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Lange <lange@debian.org> (supplier of updated fai package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 17 Dec 2006 17:40:54 +0100
Source: fai
Binary: fai-client fai-server fai-doc fai-quickstart fai-nfsroot
Architecture: source all
Version: 3.1.3
Distribution: unstable
Urgency: medium
Maintainer: Thomas Lange <lange@debian.org>
Changed-By: Thomas Lange <lange@debian.org>
Description: 
 fai-client - Fully Automatic Installation client package
 fai-doc    - Documentation for FAI
 fai-nfsroot - Fully Automatic Installation nfsroot package
 fai-quickstart - Fully Automatic Installation quickstart package
 fai-server - Fully Automatic Installation server package
Closes: 402294 402588 402644
Changes: 
 fai (3.1.3) unstable; urgency=medium
 .
   * fai-savelog: fix a security tagged bug, make local copy of LOGDIR only
     readable for root and group adm (closes: #402644)
   * fai: add missing shift command (closes: #402588)
   * fai.8: improve dirinstall info (closes: #402294)
   * package_config/FAIBASE: add packages, this is only a documentation
     change
Files: 
 95accfc87e1956290b917fe54fbd199e 639 admin extra fai_3.1.3.dsc
 422ad99cc65074aedb32fd51aafab61b 193728 admin extra fai_3.1.3.tar.gz
 44c04bf0282796afe57dd569209bd48a 98672 admin extra fai-client_3.1.3_all.deb
 c4123354a610bf1ec060e0897b82d5f8 561800 doc extra fai-doc_3.1.3_all.deb
 6785b04988a718c30feba31a9ef8c9e7 35830 admin extra fai-server_3.1.3_all.deb
 53138d656f838433520d9cd80139fa14 1876 admin extra fai-quickstart_3.1.3_all.deb
 3a0c3ece1f65515a680c1fc71975aa53 45048 admin extra fai-nfsroot_3.1.3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFFhXQG3BPlTqubZv0RAjHtAJ9PnGOgIkkgfETCZRxoG/TJLOxduQCgtBFA
w0BBiTYRfbb8v5vM3q85zfI=
=JaI3
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jun 2007 10:35:50 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:35:36 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.