RHUA password disclosure
Issue
We've found that using rhui-manager and providing user/pwd as an argument, another user can see our password if he
lists rhui-manager process.
Example of invocation:
# /usr/bin/rhui-manager --username admin --password fancypassword status --code
Example of ps:
root 28180 5.6 1.1 317620 21816 pts/0 R+ 13:36 0:00 /usr/bin/python /usr/bin/rhui-manager --username admin --password fancypassword status --code
Version affected is RHUI 2.1-2
[root@xxx log]# rpm -qa | egrep "rhua|rhui"
gofer-0.65.rhui-1.el6_3.noarch
rh-rhui-tools-debug-script-2.1.19-1.el6_4.noarch
grinder-0.0.138.2-1.el6_4.rhui.noarch
gofer-package-0.65.rhui-1.el6_3.noarch
rh-rhui-tools-2.1.19-1.el6_4.noarch
rh-rhua-config-2.1-2.el6.noarch
python-gofer-0.65.rhui-1.el6_3.noarch
rh-rhua-selinux-policy-0.0.6-1.el6.noarch
Could it be possible to replace the password with *'s or something like that in order to not disclose our password?
Environment
- Red Hat Update Infrastructure 2.1
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.