[virt-manager PATCH 2/2] unattended: Don't log user & admin passwords

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Logging user & admin passwords in the command-line is a security issue,
let's avoid doing so by:
- Not printing the values set by the user when setting up the
install-script config file;
- Removing the values used in the install-scripts, when printing their
content;

'CVE-2019-10183' has been assigned to the virt-install --unattended
admin-password=xxx disclosure issue.

Signed-off-by: Fabiano Fidêncio <fidencio@xxxxxxxxxx>
---
 virtinst/install/unattended.py | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/virtinst/install/unattended.py b/virtinst/install/unattended.py
index 4f311296..04758563 100644
--- a/virtinst/install/unattended.py
+++ b/virtinst/install/unattended.py
@@ -97,8 +97,6 @@ def _make_installconfig(script, osobj, unattended_data, arch, hostname, url):
     log.debug("InstallScriptConfig created with the following params:")
     log.debug("username: %s", config.get_user_login())
     log.debug("realname: %s", config.get_user_realname())
-    log.debug("user password: %s", config.get_user_password())
-    log.debug("admin password: %s", config.get_admin_password())
     log.debug("target disk: %s", config.get_target_disk())
     log.debug("hardware arch: %s", config.get_hardware_arch())
     log.debug("hostname: %s", config.get_hostname())
@@ -195,6 +193,14 @@ class OSInstallScript:
         content = self.generate()
         open(scriptpath, "w").write(content)
 
+        user_password = self._config.get_user_password()
+        if user_password:
+            content = content.replace(user_password, "[SCRUBBED]")
+
+        admin_password = self._config.get_admin_password()
+        if admin_password:
+            content = content.replace(admin_password, "[SCRUBBED]")
+
         log.debug("Generated unattended script: %s", scriptpath)
         log.debug("Generated script contents:\n%s", content)
 
-- 
2.21.0

_______________________________________________
virt-tools-list mailing list
virt-tools-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/virt-tools-list
[Index of Archives]     [Linux Virtualization]     [KVM Development]     [CentOS Virtualization]     [Netdev]     [Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite Forum]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]

  Powered by Linux