Bug 1210705 (CVE-2015-3010)
Summary: | CVE-2015-3010 ceph-deploy: keyring permissions are world readable in ~ceph | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adeza, branto, ceph-eng-bugs, fsimonce, jrusnack, kdreyer, ktdreyer, sisharma, trhoden, trhoden |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ceph-deploy 1.5.23 | Doc Type: | Bug Fix |
Doc Text: |
It was discovered that ceph-deploy, a utility for deploying Red Hat Ceph Storage, would create the keyring file with world readable permissions, which could possibly allow a local user to obtain authentication credentials from the keyring file.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-10-29 20:48:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1210706, 1211756, 1225209 | ||
Bug Blocks: | 1210708 |
Description
Vasyl Kaigorodov
2015-04-10 11:59:26 UTC
Created ceph-deploy tracking bugs for this issue: Affects: fedora-all [bug 1210706] Analysis ======== In the following code of ceph-deploy keyring = '/etc/ceph/{cluster}.client.admin.keyring'.format( cluster=args.cluster) r = fetch_file( args=args, frompath=keyring, topath='{cluster}.client.admin.keyring'.format( cluster=args.cluster), _hosts=args.mon, ) It copies the keys without forcing the file permissions which by default leads to 777 which makes it world readable while copying it to all nodes or monitors ceph-deploy-1.5.23-1.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. ceph-deploy-1.5.23-1.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Ceph Storage 1.2 for RHEL 7 Red Hat Ceph Storage 1.2 for RHEL 6 Via RHSA-2015:1092 https://access.redhat.com/errata/RHSA-2015:1092 This issue has been addressed in the following products: Red Hat Ceph Storage 1.2 for Ubuntu 12.04 Red Hat Ceph Storage 1.2 for Ubuntu 14.04 Via RHSA-2015:1579 https://access.redhat.com/errata/RHSA-2015:1579 This issue has been addressed in the following products: Red Hat Ceph Storage 1.2 for CentOS 6 Via RHSA-2015:1631 https://access.redhat.com/errata/RHSA-2015:1631 |