commit: 35e6ad46825721dff195ad743277af5f9bd989e1 Author: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> AuthorDate: Sat Feb 25 00:46:45 2017 +0000 Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org> CommitDate: Sat Feb 25 00:46:52 2017 +0000 URL: https://gitweb.gentoo.org/proj/livecd-tools.git/commit/?id=35e6ad46
autoconfig: protect password in /proc/cmdline. If passing a root password in /proc/cmdline, we should protect /proc/cmdline from non-root users. If root mounts a NEW /proc fileystem, this will be exposed again, but that's out of our control. The kernel boot parameter hidepid= only affects /proc/$PID/cmdline, so cannot be used in this case. Fixes: https://bugs.gentoo.org/show_bug.cgi?id=610840 Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org> init.d/autoconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/init.d/autoconfig b/init.d/autoconfig index 5991fef..76d6086 100644 --- a/init.d/autoconfig +++ b/init.d/autoconfig @@ -534,6 +534,7 @@ start() { fi if ! yesno "${PASSWD}" then + chmod og-r /proc/cmdline # Try to secure the kernel parameters per bug #610840 echo "root:${PASSWORD}" | chpasswd > /dev/null 2>&1 fi if yesno "${SSHD}"