autoconfig: protect password in /proc/cmdline.

If passing a root password in /proc/cmdline, we should protect /proc/cmdline from non-root users. If root mounts a NEW /proc fileystem, this will be exposed again, but that's out of our control. The kernel boot parameter hidepid= only affects /proc/$PID/cmdline, so cannot be used in this case. Fixes: https://bugs.gentoo.org/show_bug.cgi?id=610840 Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
author: Robin H. Johnson <robbat2@gentoo.org> 2017-02-24 16:46:45 -0800
committer: Robin H. Johnson <robbat2@gentoo.org> 2017-02-24 16:46:52 -0800
commit: 35e6ad46825721dff195ad743277af5f9bd989e1 (patch)
tree: 3db30e8747a16333c3c5e23b4f788080a199522a
parent: net-setup: add WPA{,2}-PSK setup option (diff)
download: livecd-tools-35e6ad46825721dff195ad743277af5f9bd989e1.tar.gz
livecd-tools-35e6ad46825721dff195ad743277af5f9bd989e1.tar.bz2
livecd-tools-35e6ad46825721dff195ad743277af5f9bd989e1.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/init.d/autoconfig b/init.d/autoconfig
index 5991fef..76d6086 100644
--- a/init.d/autoconfig
+++ b/init.d/autoconfig
@@ -534,6 +534,7 @@ start() {
 		fi
 		if ! yesno "${PASSWD}"
 		then
+			chmod og-r /proc/cmdline # Try to secure the kernel parameters per bug #610840
 			echo "root:${PASSWORD}" | chpasswd  > /dev/null 2>&1
 		fi
 		if yesno "${SSHD}"
author	Robin H. Johnson <robbat2@gentoo.org>	2017-02-24 16:46:45 -0800
committer	Robin H. Johnson <robbat2@gentoo.org>	2017-02-24 16:46:52 -0800
commit	35e6ad46825721dff195ad743277af5f9bd989e1 (patch)
tree	3db30e8747a16333c3c5e23b4f788080a199522a
parent	net-setup: add WPA{,2}-PSK setup option (diff)
download	livecd-tools-35e6ad46825721dff195ad743277af5f9bd989e1.tar.gz livecd-tools-35e6ad46825721dff195ad743277af5f9bd989e1.tar.bz2 livecd-tools-35e6ad46825721dff195ad743277af5f9bd989e1.zip