[MBT] new ticket for pkg installer "root password is left clear in a file after installation"

[bugs at pld-linux.org]

Date: 2004-04-17 22:20:14+02	Author: Jacek Misiurewicz (mjacek) <jmisiure at elka.pw.edu.pl> 
Title:         root password is left clear in a file after installation
Ticket ID:     #885
Ticket URL:    http://bugs.pld-linux.org/?bug=885
Package:       installer-pld-i686-test-20040401-CD1
Distribution:  
Category:      security problem
Current state: opened
Text:

In a system installed from:
PLD 2.0 (Ac) alpha-5 20040401 CD1 i686

after successful installation, there is a file left:
/etc/installer.sysconf
containing cleartext versions of root and user passwords.

This WOULD be OK, but ONLY under a strong condition:
the administrator SHOULD be warned, with a 
<<<<<BIG FAT RED WARNING>>>>>
 when choosing the password in pre-install configuration stage, that things go that way, so that he chooses a TEMPORARY password in this stage. 

Maybe an experienced PLD admin does so as the first thing, but 99% users (including me) are lame....

N.B.: erasing a file closes 50% of the security gap. Another 50% would include washing the disk.... 
100% is to change the root password, but many admins choose similar passwords for all their machines....

And a 100% gap would be to leave the file without knowing it is sensitive....