Bug 1002559
Summary: | oo-diagnostics should check the mode on important files | ||
---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Brenton Leanhardt <bleanhar> |
Component: | Node | Assignee: | Luke Meyer <lmeyer> |
Status: | CLOSED ERRATA | QA Contact: | libra bugs <libra-bugs> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | 1.2.0 | CC: | cryan, libra-onpremise-devel, lmeyer, xiama |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | rubygem-openshift-origin-common-1.22.5.6-1.el6op | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2014-06-23 07:37:21 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Brenton Leanhardt
2013-08-29 12:55:26 UTC
We should also add sanity checks that make sure files containing passwords do not have their modes set too loosely. In OSE 2.1 oo-diagnostics#test_apache_can_read_conf_files covers most of this. I missed Gemfile.lock and maybe others. A lot of the conf files are owned by root and read by apache. That makes it kind of tricky to keep them locked down. I suppose they could be "chown root:apache" and "chmod o-rwx" ? Anything else specifically needed here? Nothing specific. We were just thinking any incremental improvement would be nice. Hard to add tests for everything that could break. The Gemfile.lock was the only think specifically called out in Bug #1001833. I'm going to note that oo-diagnostics#test_apache_can_read_conf_files now complains about this: /var/www/openshift/console/httpd/conf.d/openshift-origin-auth-remote-user.conf However, that's actually incorrect. There is no need for the apache user to read apache conf files, because root reads them (and then forks to become apache user). And since this file in particular could have sensitive data for authenticating to ldap, we don't want to complain about it. Omit httpd conf files from the test. However, openshift code/content and conf files are read after the setuid (by passenger actually) so they do need to be covered. Also it complains about the vhost confs: /var/lib/openshift/.httpd.d/53346053c716b66c01000009_demo_asdfasdfasdf.example.com/asdfasdfasdf.example.com.crt /var/lib/openshift/.httpd.d/53346053c716b66c01000009_demo_asdfasdfasdf.example.com/asdfasdfasdf.example.com.key certs and keys shouldn't be a problem, they're read by root only. apache *does* need to be able to read the .db files from mod_rewrite at runtime, although those seem unlikely to be touched by the admin. Fixing this upstream. https://github.com/openshift/origin-server/pull/5444 Adding to OSE cherrypicks: https://github.com/openshift/enterprise-server/pull/283 check on puddle [2.1.z/2014-06-10] scenario 1:touch the following files, and modify the permission -rw-------. 1 root root 0 /etc/openshift/test.conf -rw-------. 1 root root 0 /var/www/openshift/broker/test.conf -rw-------. 1 root root 0 /var/www/openshift/console/test.conf -rw-------. 1 root root 0 /var/lib/openshift/.httpd.d/test.db run "oo-diagnostics test_apache_can_read_conf_files" Output The following configuration files have names and locations indicating that the apache user should be able to read them, but are not readable by the apache user: /etc/openshift/test.conf /var/www/openshift/broker/test.conf /var/www/openshift/console/test.conf /var/lib/openshift/.httpd.d/test.db Scenario 2: #cd /var/www/openshift/console/httpd #chown root:root console.conf; chmod 0600 console.conf # chown root:root conf.d/openshift-origin-auth-remote-user.conf; chmod 0600 conf.d/openshift-origin-auth-remote-user.conf #/etc/init.d/httpd restart /etc/init.d/openshift-console restart No error message is given out, and access the console successfully! I think several pre-fork commits may have helped address this, but this one was also related: commit e2a5e3e3f7e3227b3b96ccf85831a923bec96cd0 Commit: Luke Meyer <lmeyer> CommitDate: Thu May 29 11:59:50 2014 -0400 diagnostics: fix errant warning on httpd conf #cherrypick origin-server: commit 366ef378d8ee735b877c92d6799cc703da0b6bd6 Author: Luke Meyer <lmeyer> Date: Fri May 23 10:54:24 2014 -0400 test_apache_can_read_conf_files is intended to warn when the apache user cannot read files it needs to. The files being checked are overly broad; since httpd reads all of its configuration as root before switching to apache user, none of that needs to be apache-readable. Instead, just check files that apache will actually be reading at runtime. Everything related to Rails apps falls into this category. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-0781.html |