http://bugzilla.opensuse.org/show_bug.cgi?id=1029036 http://bugzilla.opensuse.org/show_bug.cgi?id=1029036#c1 John Shand changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jshand2013@gmail.com --- Comment #1 from John Shand --- i think this has been fixed -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1029036 http://bugzilla.opensuse.org/show_bug.cgi?id=1029036#c3 Andreas Stieger changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |astieger@suse.com, | |fvogt@suse.com, | |kukuk@suse.com, | |security-team@suse.de Component|Security |Basesystem Assignee|security-team@suse.de |kukuk@suse.com Summary|AUDIT-0: issue-generator: |issue-generator: Network |Network interface name and |interface name and IP |IP address show at login |address show at login |prompt |prompt Severity|Major |Normal --- Comment #3 from Andreas Stieger --- Content of /etc/issue is shown to VT logins. VT login implies physical access to the machine. That means that an adversary in this case can already retrieve the same information from the machine, plug into the network or steal it outright. I do not see how presenting this information to VT logins crosses a privilege boundary. If that information was critical, you could not show the distribution name, date, kernel, or hostname either. I also see a legitimate use case of identifying the machine to VM host or data center operators. As such I do not see a security issue, and see no need to change this default based on security reasons alone. Closing AUDIT. If you think otherwise, please present a security case. Assigning to maintainer to handle this as a usability issue. But as usual, you can argue for what the default should be both ways. Thorsten? -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1029036 http://bugzilla.opensuse.org/show_bug.cgi?id=1029036#c5 --- Comment #5 from Andreas Stieger --- (In reply to George Anchev from comment #4)

Having physical access can ease the process of getting root access. Does that mean the login prompt should publish the root password too?

No, but nobody claimed that is should. Are you mentioning such an idiotic setting to make your view seem more plausible?

- why is it important at all to know the eth adapter name and IP address?

To identify the machine when operating a data center rack or VM host.

How has linux login been possible and not problematic for so many years and now suddenly it has to be different?

I wonder why. Note that the US DoD will place half a page of text on the login screen prior to the login prompt. Last time I spoke with them they had no issues logging in.

The login is something crucial in any system, so it should not be a place that provides additional info. On the contrary - it serves the purpose of restricting access to information. So providing extra any information before login is working against the very idea of having a restriction. It is conceptually wrong.

See above, the purpose is to identify the machine. If you have an issue with that information, you could not show ANY information. Also you totally disregard the physical access factor. -- You are receiving this mail because: You are on the CC list for the bug.

http://bugzilla.opensuse.org/show_bug.cgi?id=1029036 http://bugzilla.opensuse.org/show_bug.cgi?id=1029036#c7 --- Comment #7 from Andreas Stieger --- (In reply to George Anchev from comment #6)

(In reply to Andreas Stieger from comment #5)

...

No, but nobody claimed that is should. Are you mentioning such an idiotic setting to make your view seem more plausible?

Is bugzilla now a place to abuse bug reporters?

No it is not, but showing the root password would be a rather bad thing to do. I am not sure why you would bring that up. -- You are receiving this mail because: You are on the CC list for the bug.