[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Option to write %pre, %post in /root/anaconda-ks.cfg



Hello list,
I've just found that resulting anaconda-ks.cfg does not include the %pre, %post, %traceback scripts from the ks.cfg used for installation.
I've talked to several people and here is the result.

Why this is missing:
1) If the initial ks.cfg contains some sensitive information it should not get written to disc.

- IMO if such info is used it's already present somewhere on disc.
- An attacker may sniff the network traffic and discover that info if needed.
- /root is accessible to root user

Hence there is not much argument of a security point of view to skip the %post in anaconda-ks.cfg

Why it should be there:
1) To be able to reproduce the same install over and over again. In some cases %post may be tweaking settings or custom configuration.

2) To keep the configuration used during installation in cases where ks.cfg is generated dynamically/not available after some period, etc.

3) To have things where one expects to be: anaconda-ks.cfg

How it should appear in anaconda:

- The most reasonable solution is to probably have another option --write-ks-scripts which will enable this functionality. Scripts can be written directly to resulting anaconda-ks.cfg or in separate files e.g. anaconda-ks.pre, anaconda-ks.post, etc.

Any comments and concerns are welcome.

Greetings,
Alexander.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]