Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1058807 - [engine-iso-uploader] /etc/ovirt-engine/isouploader.conf is world readable (can contain password!)
Summary: [engine-iso-uploader] /etc/ovirt-engine/isouploader.conf is world readable (c...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: oVirt
Classification: Retired
Component: ovirt-iso-uploader
Version: 3.4
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 3.4.0
Assignee: Sandro Bonazzola
QA Contact: Jiri Belka
URL:
Whiteboard: integration
Depends On:
Blocks: 1058810
TreeView+ depends on / blocked
 
Reported: 2014-01-28 14:45 UTC by Jiri Belka
Modified: 2014-03-31 12:26 UTC (History)
6 users (show)

Fixed In Version: ovirt-3.4.0-beta3
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1058810 (view as bug list)
Environment:
Last Closed: 2014-03-31 12:26:54 UTC
oVirt Team: ---


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
oVirt gerrit 24490 None None None Never
oVirt gerrit 24536 None None None Never

Description Jiri Belka 2014-01-28 14:45:53 UTC
Description of problem:

/etc/ovirt-engine/isouploader.conf is world readable (can contain password!)

# ls -l /etc/ovirt-engine/isouploader.conf
-rw-r--r--. 1 root root 791 Nov 19 11:28 /etc/ovirt-engine/isouploader.conf
# grep -i pass /etc/ovirt-engine/isouploader.conf
# the oVirt Engine REST API password.
#passwd=PASSWORD

Version-Release number of selected component (if applicable):
ovirt-iso-uploader-3.4.0-0.1.beta1.el6.noarch / same in 3.3 + 3.2!

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:
world readable

Expected results:
u=rw,g=r,o=

Additional info:
clone to 3.3.Z + 3.2.Z

Comment 1 Yedidyah Bar David 2014-01-28 14:53:59 UTC
Our automated scripts will never put a password there. I think it's up to the user to take care of this. Users can also create new files (for the password or other things) under /etc/ovirt-engine/isouploader.conf.d with whatever permissions they want.

Comment 2 Sandro Bonazzola 2014-01-28 14:58:13 UTC
I don't think this is really urgent as didi said. It's easy to fix.
We can change the permission on the files we ship in the rpm but user will always be responsible of the file he creates.

Comment 3 Sandro Bonazzola 2014-01-28 14:58:48 UTC
Note that this probably should be cloned to log-collector and image-uploader as well...

Comment 4 Sandro Bonazzola 2014-02-17 07:59:41 UTC
Merged on upstream and 3.4 branch

Comment 5 Jiri Belka 2014-02-19 14:12:38 UTC
ok, beta3

# ls -l /etc/ovirt-engine/isouploader.conf
-rw-r-----. 1 root root 791 Feb 17 10:44 /etc/ovirt-engine/isouploader.conf

Comment 6 Sandro Bonazzola 2014-03-31 12:26:54 UTC
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released


Note You need to log in before you can comment on or make changes to this bug.