Bug 1028748

Summary: answer files are world-readable and contain passwords
Product: Red Hat Enterprise Virtualization Manager Reporter: Yedidyah Bar David <didi>
Component: ovirt-engine-setupAssignee: Alon Bar-Lev <alonbl>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: high Docs Contact:
Priority: urgent    
Version: 3.3.0CC: acathrow, alonbl, bazulay, dtsang, iheim, knarra, mmahoney, oschreib, pprakash, Rhev-m-bugs, sbonazzo, sdharane, sherold, ssampat, yeylon
Target Milestone: ---Keywords: Triaged
Target Release: 3.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: is24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-21 22:20:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1020187, 1038284    

Description Yedidyah Bar David 2013-11-10 11:49:37 UTC 
Description of problem:

Answer files are created world-readable by setup/upgrade/cleanup and contain passwords.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. engine-setup or engine-cleanup
2.
3.

Actual results:

A file is created in /var/lib/ovirt-engine/setup/answers world-readable and contains password(s)

Expected results:

Create these files root-readable only. Perhaps also provide an option to not save passwords there.

Additional info:
Comment 1 Yedidyah Bar David 2013-11-10 11:51:15 UTC 
We might consider also adding somewhere instructions about changing permissions for existing files. Not very relevant to RHEV (except for beta testers etc.), relevant for upstream 3.3.
Comment 2 Alon Bar-Lev 2013-11-10 12:08:53 UTC 
(In reply to Yedidyah Bar David from comment #0)
> Create these files root-readable only. Perhaps also provide an option to not
> save passwords there.

Using mask of 0600 should be sufficient, please avoid explicitly using root unless absolutely required, usually this is to interact with other packages.

(In reply to Yedidyah Bar David from comment #1)
> We might consider also adding somewhere instructions about changing
> permissions for existing files. Not very relevant to RHEV (except for beta
> testers etc.), relevant for upstream 3.3.

just add plugin to fix permissions on /var/lib/ovirt-engine/setup/answers/* will be simpler, no?
Comment 3 Sandro Bonazzola 2013-11-14 10:26:07 UTC 
Merged upstream on master, 3.3 and 3.3.1 branches.
Comment 4 Jiri Belka 2013-11-20 14:54:37 UTC 
ok, is24.

# ls -l /var/lib/ovirt-engine/setup/answers/ /root/rhevm-answer 
-rw-------. 1 root root 1475 Nov 20 15:52 /root/rhevm-answer

/var/lib/ovirt-engine/setup/answers/:
total 12
-rw-------. 1 root root 1493 Nov 18 14:47 20131118144720-setup.conf
-rw-------. 1 root root 1475 Nov 20 12:56 20131120125645-upgrade.conf
-rw-------. 1 root root 1475 Nov 20 15:52 20131120155234-upgrade.conf
Comment 5 Itamar Heim 2014-01-21 22:20:17 UTC 
Closing - RHEV 3.3 Released
Comment 6 Itamar Heim 2014-01-21 22:26:00 UTC 
Closing - RHEV 3.3 Released