Hello list,
I've just found that resulting anaconda-ks.cfg does not include the
%pre, %post, %traceback scripts from the ks.cfg used for installation.
I've talked to several people and here is the result.
Why this is missing:
1) If the initial ks.cfg contains some sensitive information it should
not get written to disc.
- IMO if such info is used it's already present somewhere on disc.
- An attacker may sniff the network traffic and discover that info if
needed.
- /root is accessible to root user
Hence there is not much argument of a security point of view to skip the
%post in anaconda-ks.cfg
Why it should be there:
1) To be able to reproduce the same install over and over again. In some
cases %post may be tweaking settings or custom configuration.
2) To keep the configuration used during installation in cases where
ks.cfg is generated dynamically/not available after some period, etc.
3) To have things where one expects to be: anaconda-ks.cfg
How it should appear in anaconda:
- The most reasonable solution is to probably have another option
--write-ks-scripts which will enable this functionality.
Scripts can be written directly to resulting anaconda-ks.cfg or in
separate files e.g. anaconda-ks.pre, anaconda-ks.post, etc.
Any comments and concerns are welcome.
Greetings,
Alexander.
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
