Bug 1163451

Summary: ~/.pulp/ is world readable
Product: [Retired] Pulp Reporter: Brian Bouterse <bmbouter>
Component: z_otherAssignee: Michael Hrivnak <mhrivnak>
Status: CLOSED UPSTREAM QA Contact: Irina Gulina <igulina>
Severity: high Docs Contact:
Priority: high    
Version: 2.5CC: igulina, mhrivnak
Target Milestone: ---Keywords: Triaged
Target Release: 2.6.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-28 22:44:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Brian Bouterse 2014-11-12 17:47:50 UTC 
~/.pulp/ has permissions 775 which is insecure.

I expect ~/.pulp/ to have permissions 700 so that other users cannot read files within here. This is important for another bug [0] BZ 1159067 which puts username/password info into ~/.pulp/admin.conf

We can't automatically secure ~/.pulp/admin.conf because the user creates that file. We should set 700 on the folder level.

[0]: https://bugzilla.redhat.com/show_bug.cgi?id=1159067
Comment 1 Michael Hrivnak 2014-11-20 00:10:43 UTC 
https://github.com/pulp/pulp/pull/1339
Comment 2 Chris Duryee 2014-12-23 20:52:53 UTC 
fixed in pulp 2.6.0-0.2.beta
Comment 3 Irina Gulina 2014-12-24 00:09:25 UTC 
Now if /root/.pulp/ doesn't have 0700 permissions, the warining will be shown with pulp-admin or pulp-consumer command.


>> rpm -qa | grep pulp-server
pulp-server-2.6.0-0.2.beta.fc20.noarch

>> pulp-admin login -u admin -p pass
Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

Successfully logged in. Session certificate will expire at Dec 30 22:53:54 2014
GMT.

>> chmod 0700 -R /root/.pulp/
>> pulp-admin login -u admin -p pass 
Successfully logged in. Session certificate will expire at Dec 30 23:01:34 2014
GMT.

>> chmod 0740 -R /root/.pulp/
>> pulp-admin repo list --summary
Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

>> pulp-consumer status
Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

This consumer is not currently registered.

If it was deleted/moved, a new created folder ~/.pulp will have 0700.

>> mv ~/.pulp/ ~/.pulp_1/
>> pulp-consumer status
This consumer is not currently registered.

>>pulp-admin login -u admin -p wrongpass
The specified user does not have permission to execute the given command

>> ls -la  ~/ | grep pulp
drwxr-xr-x.  2 root root  4096 Nov  4 13:53 for_pulp_uploads
drwx------.  2 root root  4096 Dec 24 00:03 .pulp
drwxr-----.  3 root root  4096 Dec 23 23:02 .pulp_1
Comment 4 Brian Bouterse 2015-02-28 22:44:08 UTC 
Moved to https://pulp.plan.io/issues/614