On EC2, instance metadata can include credentials that remain valid for as much
as 6 hours. Reading these and allowing them to be pickled represents a
potential vulnerability if a snapshot of the disk is taken and shared as part
of an AMI.
This skips security-credentials when walking the meta-data tree.
9687d60...
by
Iliana Weller <email address hidden>
Remove call to "yum makecache" in distros.rhel
update_package_sources is designed to be the "apt-get update" step as
opposed to the "apt-get upgrade" on dpkg-based distributions. yum
performs an automatic metadata update when no metadata is available or
when cached metadata is sufficiently old.
"yum makecache" additionally downloads _all_ available metadata,
including the filelists database, while yum's update / upgrade /
distro-sync / etc. commands download only the required metadata for that
transaction.
Reviewed-by: Ben Cressey <email address hidden>
Reviewed-by: Sean Kelly <email address hidden>
Also fix a minor bug where an empty config entry causes a crash.
Note that this is arguably incomplete since the module does not
set PEERDNS=no, so it's possible for DHCP to overwrite your file.
The module issues a warning about this.
It may make more sense to have a distro-specific function for this
and to take advantage of the ifup/down scripts support for overriding
resolv.conf contents.
Reviewed-by: Tom Kirchner <email address hidden>
Reviewed-by: Iliana Weller <email address hidden>
[<email address hidden>: rebase onto 0.7.9]
The passwd utility doesn't correctly maintain the context of /etc/shadow, but
the usermod utility does. This is an incomplete fix for the issue as there are
other uses of passwd, but this is the one that is in use by default.
Reviewed-by: Tom Kirchner <email address hidden>
Reviewed-by: Jason Green <email address hidden>
Reviewed-by: Rodrigo Novo <email address hidden>
[<email address hidden>: rebase onto 0.7.9]
Fixed typo in log message.
Skip also if the device is not present (instead of only if the target isn't specified).
Resolve intervening symlinks in device nodes.
Reviewed-by: Matt Nierzwicki <email address hidden>
Reviewed-by: Ethan Faust <email address hidden>
[<email address hidden>: Resolve intervening symlinks]
Reviewed-by: Ben Cressey <email address hidden>
Reviewed-by: Frank Becker <email address hidden>
[<email address hidden>: rebase onto 0.7.9]
Add chkconfig directives; move cloud-final near end
chkconfig does not support the $all system facility that insserv uses to push
this to the end of the boot process, so we need chkconfig hints as well.
Also, there's a bug in ntsysv that goes undetected because almost no init
scripts lack these directive comments. If you run ntsysv and then exit (even
without doing anything!) init scripts that lack these directives can be reset
to -1, which isn't even a real rc priority.
Reviewed-by: James Anderson <email address hidden>
Reviewed-by: Tom Kirchner <email address hidden>
[<email address hidden>: Add chkconfig directives to work around bug in ntsysv]
Reviewed-by: Jason Green <email address hidden>
Reviewed-by: Tom Kirchner <email address hidden>
[<email address hidden>: rebase onto 0.7.9]