[Fedora-livecd-list] Branch 'f18-branch' - 2 commits - imgcreate/kickstart.py Makefile

Thu, 23 May 2013 06:24:41 -0700 

 Makefile               |    2 +-
 imgcreate/kickstart.py |   11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

New commits:
commit 49164d86c013b1d59314fb67a0a3d22d19b29b4b
Author: Brian C. Lane <[email protected]>
Date:   Thu May 23 06:23:58 2013 -0700

    Version 18.16

diff --git a/Makefile b/Makefile
index 791917f..ccd1bd4 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
 
-VERSION = 18.15
+VERSION = 18.16
 
 INSTALL = /usr/bin/install -c
 INSTALL_PROGRAM = ${INSTALL}


commit 6f9b3a9bd9b9bb41bd4db9ea992685c27e1b6b66
Author: Tomas Hoger <[email protected]>
Date:   Thu May 23 05:56:11 2013 -0700

    Avoid setting empty root password (#964299)
    
    When using kickstart with no rootpw command, imgcreate ended up calling
    "passwd -d root", leaving the root account password-less.  That may lead to
    local or remote privilege escalation.
    
    This change does the following:
    
    1) There's no password manipulation done when password is empty string and
       rootpw was not called with --iscrypted
    2) Password is locked when "rootpw --lock" is used
    
    Notes:
    Users can still shoot themselves in a foot by using: rootpw --iscrypted ""
    
    Resolves: rhbz#964299 (CVE-2013-2069)
    
    Signed-off-by: Brian C. Lane <[email protected]>

diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index b12cd0c..1ed9f2f 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -199,9 +199,9 @@ class FirewallConfig(KickstartConfig):
 
 class RootPasswordConfig(KickstartConfig):
     """A class to apply a kickstart root password configuration to a system."""
-    def unset(self):
-        self.call(["/usr/bin/passwd", "-d", "root"])
-        
+    def lock(self):
+        self.call(["/usr/bin/passwd", "-l", "root"])
+
     def set_encrypted(self, password):
         self.call(["/usr/sbin/usermod", "-p", password, "root"])
 
@@ -224,8 +224,9 @@ class RootPasswordConfig(KickstartConfig):
             self.set_encrypted(ksrootpw.password)
         elif ksrootpw.password != "":
             self.set_unencrypted(ksrootpw.password)
-        else:
-            self.unset()
+
+        if ksrootpw.lock:
+            self.lock()
 
 class ServicesConfig(KickstartConfig):
     """A class to apply a kickstart services configuration to a system."""


--
livecd mailing list
[email protected]
https://admin.fedoraproject.org/mailman/listinfo/livecd

Reply via email to