From 35e6ad46825721dff195ad743277af5f9bd989e1 Mon Sep 17 00:00:00 2001
From: "Robin H. Johnson" <robbat2@gentoo.org>
Date: Fri, 24 Feb 2017 16:46:45 -0800
Subject: autoconfig: protect password in /proc/cmdline.

If passing a root password in /proc/cmdline, we should protect
/proc/cmdline from non-root users.

If root mounts a NEW /proc fileystem, this will be exposed again, but
that's out of our control.

The kernel boot parameter hidepid= only affects /proc/$PID/cmdline, so
cannot be used in this case.

Fixes: https://bugs.gentoo.org/show_bug.cgi?id=610840
Signed-off-by: Robin H. Johnson <robbat2@gentoo.org>
---
 init.d/autoconfig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/init.d/autoconfig b/init.d/autoconfig
index 5991fef..76d6086 100644
--- a/init.d/autoconfig
+++ b/init.d/autoconfig
@@ -534,6 +534,7 @@ start() {
 		fi
 		if ! yesno "${PASSWD}"
 		then
+			chmod og-r /proc/cmdline # Try to secure the kernel parameters per bug #610840
 			echo "root:${PASSWORD}" | chpasswd  > /dev/null 2>&1
 		fi
 		if yesno "${SSHD}"
-- 
cgit v1.2.3-65-gdbad