From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 7AA2E139694 for ; Sat, 25 Feb 2017 00:50:49 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id CA159E0CCA; Sat, 25 Feb 2017 00:50:48 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A690CE0CCA for ; Sat, 25 Feb 2017 00:50:48 +0000 (UTC) Received: from oystercatcher.gentoo.org (unknown [IPv6:2a01:4f8:202:4333:225:90ff:fed9:fc84]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id BCDED341026 for ; Sat, 25 Feb 2017 00:50:47 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id CF6B95387 for ; Sat, 25 Feb 2017 00:50:45 +0000 (UTC) From: "Robin H. Johnson" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Robin H. Johnson" Message-ID: <1487983612.35e6ad46825721dff195ad743277af5f9bd989e1.robbat2@gentoo> Subject: [gentoo-commits] proj/livecd-tools:master commit in: init.d/ X-VCS-Repository: proj/livecd-tools X-VCS-Files: init.d/autoconfig X-VCS-Directories: init.d/ X-VCS-Committer: robbat2 X-VCS-Committer-Name: Robin H. Johnson X-VCS-Revision: 35e6ad46825721dff195ad743277af5f9bd989e1 X-VCS-Branch: master Date: Sat, 25 Feb 2017 00:50:45 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 0d4ed275-e877-463a-9248-5de026cc680c X-Archives-Hash: 5ff36a399a229e387ad7f69782a9763f commit: 35e6ad46825721dff195ad743277af5f9bd989e1 Author: Robin H. Johnson gentoo org> AuthorDate: Sat Feb 25 00:46:45 2017 +0000 Commit: Robin H. Johnson gentoo org> CommitDate: Sat Feb 25 00:46:52 2017 +0000 URL: https://gitweb.gentoo.org/proj/livecd-tools.git/commit/?id=35e6ad46 autoconfig: protect password in /proc/cmdline. If passing a root password in /proc/cmdline, we should protect /proc/cmdline from non-root users. If root mounts a NEW /proc fileystem, this will be exposed again, but that's out of our control. The kernel boot parameter hidepid= only affects /proc/$PID/cmdline, so cannot be used in this case. Fixes: https://bugs.gentoo.org/show_bug.cgi?id=610840 Signed-off-by: Robin H. Johnson gentoo.org> init.d/autoconfig | 1 + 1 file changed, 1 insertion(+) diff --git a/init.d/autoconfig b/init.d/autoconfig index 5991fef..76d6086 100644 --- a/init.d/autoconfig +++ b/init.d/autoconfig @@ -534,6 +534,7 @@ start() { fi if ! yesno "${PASSWD}" then + chmod og-r /proc/cmdline # Try to secure the kernel parameters per bug #610840 echo "root:${PASSWORD}" | chpasswd > /dev/null 2>&1 fi if yesno "${SSHD}"