Bug 1002559

Summary: oo-diagnostics should check the mode on important files
Product: OpenShift Container Platform Reporter: Brenton Leanhardt <bleanhar>
Component: NodeAssignee: Luke Meyer <lmeyer>
Status: CLOSED ERRATA QA Contact: libra bugs <libra-bugs>
Severity: low Docs Contact:
Priority: low    
Version: 1.2.0CC: cryan, libra-onpremise-devel, lmeyer, xiama
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: rubygem-openshift-origin-common-1.22.5.6-1.el6op Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-23 07:37:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brenton Leanhardt 2013-08-29 12:55:26 UTC 
Description of problem:

This is related to Bug #1001833.  We should add a test that checks the mode/ownership for important configuration files and directories.
Comment 2 Brenton Leanhardt 2013-09-30 20:34:12 UTC 
We should also add sanity checks that make sure files containing passwords do not have their modes set too loosely.
Comment 3 Luke Meyer 2014-03-24 18:42:07 UTC 
In OSE 2.1 oo-diagnostics#test_apache_can_read_conf_files covers most of this. I missed Gemfile.lock and maybe others.

A lot of the conf files are owned by root and read by apache. That makes it kind of tricky to keep them locked down. I suppose they could be "chown root:apache" and "chmod o-rwx" ?

Anything else specifically needed here?
Comment 4 Brenton Leanhardt 2014-03-24 18:45:39 UTC 
Nothing specific.  We were just thinking any incremental improvement would be nice.  Hard to add tests for everything that could break.  The Gemfile.lock was the only think specifically called out in Bug #1001833.
Comment 5 Luke Meyer 2014-03-27 18:51:13 UTC 
I'm going to note that oo-diagnostics#test_apache_can_read_conf_files now complains about this:

/var/www/openshift/console/httpd/conf.d/openshift-origin-auth-remote-user.conf

However, that's actually incorrect. There is no need for the apache user to read apache conf files, because root reads them (and then forks to become apache user). And since this file in particular could have sensitive data for authenticating to ldap, we don't want to complain about it.

Omit httpd conf files from the test. However, openshift code/content and conf files are read after the setuid (by passenger actually) so they do need to be covered.
Comment 6 Luke Meyer 2014-03-27 18:58:49 UTC 
Also it complains about the vhost confs:

/var/lib/openshift/.httpd.d/53346053c716b66c01000009_demo_asdfasdfasdf.example.com/asdfasdfasdf.example.com.crt
/var/lib/openshift/.httpd.d/53346053c716b66c01000009_demo_asdfasdfasdf.example.com/asdfasdfasdf.example.com.key

certs and keys shouldn't be a problem, they're read by root only.

apache *does* need to be able to read the .db files from mod_rewrite at runtime, although those seem unlikely to be touched by the admin.
Comment 7 Luke Meyer 2014-05-23 15:08:14 UTC 
Fixing this upstream.

https://github.com/openshift/origin-server/pull/5444
Comment 8 Luke Meyer 2014-05-29 17:01:36 UTC 
Adding to OSE cherrypicks:
https://github.com/openshift/enterprise-server/pull/283
Comment 11 Ma xiaoqiang 2014-06-11 10:53:20 UTC 
check on puddle [2.1.z/2014-06-10]
scenario 1:touch the following files, and modify the permission
-rw-------. 1 root   root      0 /etc/openshift/test.conf
-rw-------. 1 root   root      0 /var/www/openshift/broker/test.conf
-rw-------. 1 root   root      0 /var/www/openshift/console/test.conf
-rw-------. 1 root   root      0 /var/lib/openshift/.httpd.d/test.db
run "oo-diagnostics test_apache_can_read_conf_files"
Output
The following configuration files have names and locations indicating
        that the apache user should be able to read them, but are not readable
        by the apache user:
          
          /etc/openshift/test.conf
          /var/www/openshift/broker/test.conf
          /var/www/openshift/console/test.conf
          /var/lib/openshift/.httpd.d/test.db

Scenario 2: 
#cd /var/www/openshift/console/httpd
#chown root:root console.conf; chmod 0600 console.conf
# chown root:root conf.d/openshift-origin-auth-remote-user.conf; chmod 0600 conf.d/openshift-origin-auth-remote-user.conf
#/etc/init.d/httpd restart
/etc/init.d/openshift-console restart

No error message is given out, and access the console successfully!
Comment 12 Luke Meyer 2014-06-12 17:27:39 UTC 
I think several pre-fork commits may have helped address this, but this one was also related:

commit e2a5e3e3f7e3227b3b96ccf85831a923bec96cd0
Commit:     Luke Meyer <lmeyer>
CommitDate: Thu May 29 11:59:50 2014 -0400

    diagnostics: fix errant warning on httpd conf #cherrypick

    origin-server:
    commit 366ef378d8ee735b877c92d6799cc703da0b6bd6
    Author: Luke Meyer <lmeyer>
    Date:   Fri May 23 10:54:24 2014 -0400

    test_apache_can_read_conf_files is intended to warn when the apache user
    cannot read files it needs to. The files being checked are overly broad;
    since httpd reads all of its configuration as root before switching to
    apache user, none of that needs to be apache-readable. Instead, just
    check files that apache will actually be reading at runtime. Everything
    related to Rails apps falls into this category.
Comment 14 errata-xmlrpc 2014-06-23 07:37:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0781.html