tools/livecd-iso-to-disk.sh
by Brian C. Lane
tools/livecd-iso-to-disk.sh | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
New commits:
commit 1612a5bf3f7683246df07a81081afe180636156a
Author: Brian C. Lane <bcl(a)redhat.com>
Date: Fri May 31 10:22:50 2013 -0700
Replace bash string parsing with awk (#962039)
du in F19 adds a - at the end now, confusing the parsing. Replaced it
and a couple other instances with awk so that it is more clear what is
happening.
diff --git a/tools/livecd-iso-to-disk.sh b/tools/livecd-iso-to-disk.sh
index eb7c3cc..23612ea 100755
--- a/tools/livecd-iso-to-disk.sh
+++ b/tools/livecd-iso-to-disk.sh
@@ -941,8 +941,8 @@ if [[ live == $srctype ]]; then
targets="$TGTMNT/$SYSLINUXPATH"
[[ -n $efi ]] && targets+=" $TGTMNT$EFI_BOOT"
[[ -n $xo ]] && targets+=" $TGTMNT/boot/olpc.fth"
- duTable=($(du -c -B 1M $targets 2> /dev/null || :))
- tbd=$((tbd + ${duTable[*]: -2:1}))
+ target_size=$(du -s -c -B 1M $targets 2> /dev/null | awk '/total$/ {print $1;}') || :
+ tbd=$((tbd + target_size))
fi
if [[ -n $skipcompress ]] && [[ -s $SRCMNT/LiveOS/squashfs.img ]]; then
@@ -973,12 +973,11 @@ if [[ live == $srctype ]]; then
sources+=" $SRCMNT/isolinux $SRCMNT/syslinux"
[[ -n $efi ]] && sources+=" $SRCMNT$EFI_BOOT"
[[ -n $xo ]] && sources+=" $SRCMNT/boot/olpc.fth"
- duTable=($(du -c -B 1M "$thisScriptpath" $sources 2> /dev/null || :))
- livesize=$((livesize + ${duTable[*]: -2:1}))
+ source_size=$(du -s -c -B 1M "$thisScriptpath" $sources 2> /dev/null | awk '/total$/ {print $1;}') || :
+ livesize=$((livesize + source_size))
fi
-freespace=($(df -B 1M --total $TGTDEV))
-freespace=${freespace[*]: -2:1}
+freespace=$(df -B 1M --total $TGTDEV | awk '/^total/ {print $4;}')
if [[ live == $srctype ]]; then
tba=$((overlaysizemb + homesizemb + livesize + swapsizemb))
10 years, 6 months
Bug when LANG!=C
by Olivier Samyn
Hello,
I tried to create an efi bootable usb stick using livecd-iso-to-disk
with the following command:
livecd-iso-to-disk --efi --format fedora.iso /dev/sdd
I got got an error saying:
"EFI boot requires a GPT partition table."
"This can be done manually or you can run with --format"
As I was running with the format option it seemed a little bit strange.
I seems that parted called with the "p" command only works for english
locale (maybe a bug in parted); but it works when the full command name
is used "print" in this case.
So, I simply patched livecd-iso-to-disk to use the full parted command
name; see attached patch.
Olivier Samyn.
10 years, 6 months
imgcreate/kickstart.py
by Brian C. Lane
imgcreate/kickstart.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
New commits:
commit cbcdff5b57ceb0f3f08fdc407585d88c850c1c2d
Author: Brian C. Lane <bcl(a)redhat.com>
Date: Wed May 29 14:02:57 2013 -0700
Fix default.target symlink (#968272)
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 1ed9f2f..1d01ba5 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -255,7 +255,7 @@ class XConfig(KickstartConfig):
default_target = self.path('/etc/systemd/system/default.target')
if os.path.islink(default_target):
os.unlink(default_target)
- os.symlink(self.path('/lib/systemd/system/graphical.target'), default_target)
+ os.symlink('/lib/systemd/system/graphical.target', default_target)
class RPMMacroConfig(KickstartConfig):
"""A class to apply the specified rpm macros to the filesystem"""
10 years, 6 months
Branch 'rhel6-branch' - imgcreate/live.py
by Brian C. Lane
imgcreate/live.py | 1 +
1 file changed, 1 insertion(+)
New commits:
commit 1c7cc7edd3bbc77ad57ca2cea32d4a3d6870722e
Author: Brian C. Lane <bcl(a)redhat.com>
Date: Fri May 24 12:03:55 2013 -0700
Add dmsquash-live module to dracut (#957892)
diff --git a/imgcreate/live.py b/imgcreate/live.py
index 783d1db..8dc79ad 100644
--- a/imgcreate/live.py
+++ b/imgcreate/live.py
@@ -267,6 +267,7 @@ class LiveImageCreatorBase(LoopImageCreator):
f = open(path, "a")
f.write('filesystems+="' + self.__extra_filesystems() + ' "\n')
f.write('drivers+="' + self.__extra_drivers() + ' "\n')
+ f.write('add_dracutmodules+=" dmsquash-live "')
f.close()
def __create_iso(self, isodir):
10 years, 6 months
Branch 'rhel6-branch' - 2 commits - imgcreate/kickstart.py Makefile
by Brian C. Lane
Makefile | 2 +-
imgcreate/kickstart.py | 11 ++++++-----
2 files changed, 7 insertions(+), 6 deletions(-)
New commits:
commit e588ccb44331e41cfde3fffa29ffea67b31e9307
Author: Brian C. Lane <bcl(a)redhat.com>
Date: Thu May 23 07:20:46 2013 -0700
Version 13.4.4
diff --git a/Makefile b/Makefile
index 2abfac3..9c88497 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
-VERSION = 13.4.3
+VERSION = 13.4.4
INSTALL = /usr/bin/install -c
INSTALL_PROGRAM = ${INSTALL}
commit e9c44265407e63d76c9bc811f2098e036cc68438
Author: Tomas Hoger <thoger(a)redhat.com>
Date: Thu May 16 11:16:35 2013 -0700
Avoid setting empty root password (#962493)
When using kickstart with no rootpw command, imgcreate ended up calling
"passwd -d root", leaving the root account password-less. That may lead to
local or remote privilege escalation.
This change does the following:
1) There's no password manipulation done when password is empty string and
rootpw was not called with --iscrypted
2) Password is locked when "rootpw --lock" is used
Notes:
Users can still shoot themselves in a foot by using: rootpw --iscrypted ""
Resolves: rhbz#962493
Signed-off-by: Brian C. Lane <bcl(a)redhat.com>
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 41c97ee..4abba6b 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -192,9 +192,9 @@ class FirewallConfig(KickstartConfig):
class RootPasswordConfig(KickstartConfig):
"""A class to apply a kickstart root password configuration to a system."""
- def unset(self):
- self.call(["/usr/bin/passwd", "-d", "root"])
-
+ def lock(self):
+ self.call(["/usr/bin/passwd", "-l", "root"])
+
def set_encrypted(self, password):
self.call(["/usr/sbin/usermod", "-p", password, "root"])
@@ -217,8 +217,9 @@ class RootPasswordConfig(KickstartConfig):
self.set_encrypted(ksrootpw.password)
elif ksrootpw.password != "":
self.set_unencrypted(ksrootpw.password)
- else:
- self.unset()
+
+ if ksrootpw.lock:
+ self.lock()
class ServicesConfig(KickstartConfig):
"""A class to apply a kickstart services configuration to a system."""
10 years, 6 months
CVE-2013-2069 livecd-tools: improper handling of passwords
by Brian C. Lane
https://bugzilla.redhat.com/show_bug.cgi?id=964299
The livecd-tools package provides support for reading and executing
Kickstart files in order to create a system image. It was discovered
that livecd-tools gave the root user an empty password rather than
leaving the password locked in situations where no 'rootpw' directive
was used or when the 'rootpw --lock' directive was used within the
Kickstart file, which could allow local users to gain access to the
root account. (CVE-2013-2069)
Please note that livecd-tools is also used by appliance-tools to create
images used for virtual machines, USB based systems, and so on.
Additionally, the Python script components of livecd-tools have been
broken out into a separate package named python-imgcreate on some
distributions (such as Fedora).
Acknowledgements:
Red Hat would like to thank Amazon Web Services for reporting this
issue.
Amazon Web Services acknowledges Sylvain Beucler as the original
reporter.
--
Brian C. Lane | Anaconda Team | IRC: bcl #anaconda | Port Orchard, WA (PST8PDT)
10 years, 6 months
Changes to 'refs/tags/livecd-tools-18.16'
by Brian C. Lane
Tag 'livecd-tools-18.16' created by Brian C. Lane <bcl(a)redhat.com> at 2013-05-23 13:24 +0000
Tag as livecd-tools-18.16
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQEVAwUAUZ4YnhF+jBaO/jp/AQLniQgAnvzlxV1L3c/nYUpGc4PDA3U4Du2QOpJu
+2JwvOzl6oaW9/V7SRo1W6gCU3++wQWPU9FdISggqMcZ/2zeDllBQ0oF3y84V5lP
81nL5u8iOMmqTXcNX3bbUvUYh+aLHWawpeMnFW/9L2eyYHql6UkTj/P/LyivaEAe
pnucCa4WIxu+Wr8cU8TZ3z35A3PP9hyIihQyzFVELAIEib//CuglMKXJiltlzUkb
XzvNIe3IBQPo5mGHdBcj9vDKdHTf5i8TBY4awW9gHSoyYD5dkPcRNi5DXLlEIf5C
XkFa5T9EQd65Kux0ggQ+zWqZHDg71ftB4IbFxp4wI9MnPXzpJo6z9A==
=OJc/
-----END PGP SIGNATURE-----
Changes since livecd-tools-18.15:
Brian C. Lane (1):
Version 18.16
Tomas Hoger (1):
Avoid setting empty root password (#964299)
---
Makefile | 2 +-
imgcreate/kickstart.py | 11 ++++++-----
2 files changed, 7 insertions(+), 6 deletions(-)
---
10 years, 6 months
Changes to 'refs/tags/livecd-tools-19.3'
by Brian C. Lane
Tag 'livecd-tools-19.3' created by Brian C. Lane <bcl(a)redhat.com> at 2013-05-23 13:18 +0000
Tag as livecd-tools-19.3
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQEVAwUAUZ4XGxF+jBaO/jp/AQJ0eQf+O4gwiGtJBUc0zqVmv+iShMAvZEmKgoT5
WcelEOR1BCz5nb9O6cxbgzOT8KCzfxULAvu1gODJGT2osMxCJKdokNwpHmOGrgym
mupgbPbizPeJVIsrIOWb5BsZRazTI5fz2i5JGFGcYSz8fxJahH+pVcQF7kGo8T9e
R9PPIYdvw6sHl0mwFGoJ66wdJe81S/2wwze5nIGbh+3aleAptmzC/Hmp5aA/k0xy
hlrDSfUbWZ1oHT0Jfg3MXGkliaY0pLkwSWCrp1DI5m/Sg6h+bEFi/TLyf5y6MEdA
NtbNACwnkvUneP3RPkYrv4PpoV7/kVErrcnWRekaYsyzuDkaCpsGYw==
=rRGG
-----END PGP SIGNATURE-----
Changes since livecd-tools-19.2:
Brian C. Lane (2):
Handle urlgrabber callback changes (#963645)
Version 19.3
Tomas Hoger (1):
Avoid setting empty root password (#964299)
---
Makefile | 2 +-
imgcreate/kickstart.py | 11 ++++++-----
imgcreate/yuminst.py | 5 +++--
3 files changed, 10 insertions(+), 8 deletions(-)
---
10 years, 6 months
Changes to 'refs/tags/livecd-tools-17.17'
by Brian C. Lane
Tag 'livecd-tools-17.17' created by Brian C. Lane <bcl(a)redhat.com> at 2013-05-23 13:28 +0000
Tag as livecd-tools-17.17
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
iQEVAwUAUZ4ZaBF+jBaO/jp/AQJo6Af/fZKh8G2bL9lkuz4Sv2KD53LHEizw4pAd
tIH87VJlYP+Wld9NDfq4paF5rT75nsFH5kdvU/TtSkVPd0YvegcdIm7hfj6fk2iD
dQTf/gMgPC7uJzgpyTx5xqc/eQ+Zq07pAC+QDp1afWAZNcXYSX/4p6qf6AjIVpV2
n/dHYdiaJgydIJ2cOc+HdtZHwKA4wQ11W3Fg6G3BCS7GqhSmHOF6D4Rd3HYn482P
q4Z00foBl8vwkmpqmPIkuQFZXIHVyUMQ6nLdmCyHdu4At1hlzT0WhhjTJCIu1wNf
URNH/4631FrPc9s6mrdqCTBfbqzRk1iImSo2Awew5mPZH5nEsMJpOg==
=2Gox
-----END PGP SIGNATURE-----
Changes since livecd-tools-17.16:
Brian C. Lane (1):
Version 17.17
Tomas Hoger (1):
Avoid setting empty root password (#964299)
---
Makefile | 2 +-
imgcreate/kickstart.py | 11 ++++++-----
2 files changed, 7 insertions(+), 6 deletions(-)
---
10 years, 6 months
Branch 'f17-branch' - 2 commits - imgcreate/kickstart.py Makefile
by Brian C. Lane
Makefile | 2 +-
imgcreate/kickstart.py | 11 ++++++-----
2 files changed, 7 insertions(+), 6 deletions(-)
New commits:
commit ca54afa346ed1efd3a10d0933ce9f17b68517978
Author: Brian C. Lane <bcl(a)redhat.com>
Date: Thu May 23 06:28:00 2013 -0700
Version 17.17
diff --git a/Makefile b/Makefile
index 935249e..3a34806 100644
--- a/Makefile
+++ b/Makefile
@@ -1,5 +1,5 @@
-VERSION = 17.16
+VERSION = 17.17
INSTALL = /usr/bin/install -c
INSTALL_PROGRAM = ${INSTALL}
commit 132b59b2b5587eee0c8f66abea4bed28532f30e4
Author: Tomas Hoger <thoger(a)redhat.com>
Date: Thu May 23 05:56:11 2013 -0700
Avoid setting empty root password (#964299)
When using kickstart with no rootpw command, imgcreate ended up calling
"passwd -d root", leaving the root account password-less. That may lead to
local or remote privilege escalation.
This change does the following:
1) There's no password manipulation done when password is empty string and
rootpw was not called with --iscrypted
2) Password is locked when "rootpw --lock" is used
Notes:
Users can still shoot themselves in a foot by using: rootpw --iscrypted ""
Resolves: rhbz#964299 (CVE-2013-2069)
Signed-off-by: Brian C. Lane <bcl(a)redhat.com>
diff --git a/imgcreate/kickstart.py b/imgcreate/kickstart.py
index 5195e6a..3d4bbf6 100644
--- a/imgcreate/kickstart.py
+++ b/imgcreate/kickstart.py
@@ -199,9 +199,9 @@ class FirewallConfig(KickstartConfig):
class RootPasswordConfig(KickstartConfig):
"""A class to apply a kickstart root password configuration to a system."""
- def unset(self):
- self.call(["/usr/bin/passwd", "-d", "root"])
-
+ def lock(self):
+ self.call(["/usr/bin/passwd", "-l", "root"])
+
def set_encrypted(self, password):
self.call(["/usr/sbin/usermod", "-p", password, "root"])
@@ -224,8 +224,9 @@ class RootPasswordConfig(KickstartConfig):
self.set_encrypted(ksrootpw.password)
elif ksrootpw.password != "":
self.set_unencrypted(ksrootpw.password)
- else:
- self.unset()
+
+ if ksrootpw.lock:
+ self.lock()
class ServicesConfig(KickstartConfig):
"""A class to apply a kickstart services configuration to a system."""
10 years, 6 months
