Automation Security Suggestion #112

New issue

Open

opened 2025-04-25 14:46:30 +02:00 by lielmazar · 0 comments

lielmazar commented

2025-04-25 14:46:30 +02:00

(Migrated from github.com)

Hello all!

While writing automation script for this guide How to install Ubuntu 24.04 with full disk encryption, I encountered a possible security issue when using "installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh".

installimage prints the content of setup.conf on terminal, including the CRYPTPASSWORD value, making it a possible security risk if logged and leaked (This originating from autosetup.sh line 27).

I suggest replacing line 27 in autosetup.sh from:

grep -v "^#" "$FOLD/install.conf" | grep -v "^$"

grep -v "^#" "$FOLD/install.conf" | grep -v "^$" | sed -E 's/^(CRYPTPASSWORD[[:space:]]+).*/\1<REDACTED>/'

Solution was tested with fresh install of ubuntu 22.04 on EX44 dedicated machine.

I'm new to open-source contributions! what do you think?

Hello all! While writing automation script for this guide [How to install Ubuntu 24.04 with full disk encryption](https://community.hetzner.com/tutorials/install-ubuntu-2004-with-full-disk-encryption ), I encountered a possible security issue when using "installimage -a -c /tmp/setup.conf -x /tmp/post-install.sh". installimage prints the content of setup.conf on terminal, including the CRYPTPASSWORD value, making it a possible security risk if logged and leaked (This originating from [autosetup.sh](https://github.com/hetzneronline/installimage/blob/d7805b2c54a28bdfc32d57a537d30d6e9eb3ec78/autosetup.sh#L27C1-L27C49) line 27). I suggest replacing line 27 in autosetup.sh from: ` grep -v "^#" "$FOLD/install.conf" | grep -v "^$" ` to ` grep -v "^#" "$FOLD/install.conf" | grep -v "^$" | sed -E 's/^(CRYPTPASSWORD[[:space:]]+).*/\1<REDACTED>/' ` Solution was tested with fresh install of ubuntu 22.04 on EX44 dedicated machine. I'm new to open-source contributions! what do you think?