[elbe-devel] elbe_base.xml contains others readable passwords
Manuel Traut
manuel.traut at linutronix.de
Wed Apr 27 22:31:53 CEST 2016
On 09:02 Tue 26 Apr , Mark Ruys wrote:
>
> Hijacking my own thread, I saw the XML config file is being exported to the generated rootfs image. I've added
>
> <rm>etc/elbe_base.xml</rm>
>
> in the fine tuning as it contains commands to create user accounts. We don't want our passwords plain text 0644 file in the image. You might want to make copying in the XML a configuration option so we know we need to choose.
the elbe_base.xml is used by the elbe-updated for example. Of course this is a security nightmare.
Every user can read the root password! I hope this [0], [1] commit fixes the issue.
I just triggered a testrun in our jenkins. I will release a 1.0 bugfix release, as soon as it is verified
that the issue is gone.
Thanks a lot for this report!
Manuel
[0] https://github.com/Linutronix/elbe/commit/c6886563402ff06b5804084fd76e4cb791e0ce1d
[1] https://github.com/Linutronix/elbe/commit/653f9033e3a01aa119354f3c45b895b4429a2dc3
More information about the elbe-devel
mailing list