Bug 1276484

Summary: krb5kdc.log file is world-readable by default
Product: [Fedora] Fedora Reporter: Robbie Harwood <rharwood>
Component: krb5Assignee: Robbie Harwood <rharwood>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, dpal, mkosek, nalin, nathaniel, pkis, qe-baseos-security, rcritten, rharwood, sumenon
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: https://github.com/krb5/krb5/pull/372
Whiteboard:
Fixed In Version: krb5-1.14-17.fc24 krb5-1.14-6.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1256735 Environment:
Last Closed: 2016-01-28 18:22:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1256735, 1292523    

Description Robbie Harwood 2015-10-29 20:01:44 UTC
+++ This bug was initially created as a clone of Bug #1256735 +++

Description of problem: krb5kdc.log file is world-readable

Version-Release number of selected component (if applicable):

[root@ipaserver log]# rpm -qa | grep ipa-server
ipa-server-4.2.0-5.el7.x86_64
ipa-server-trust-ad-4.2.0-5.el7.x86_64
ipa-server-dns-4.2.0-5.el7.x86_64
krb5-server-1.13.2-8.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Login to IPA server.
2. Navigate to /var/log directory
3. Check the permission of the krb5kdc.log

Actual results: krb5kdc.log file is world-readable.

-rw-------. 1 root   root          25381 Aug 25 15:42 kadmind.log
-rw-r--r--. 1 root   root        1396050 Aug 25 16:30 krb5kdc.log


Expected results: krb5kdc.log shouldn't be world-readable unless needed and also keeping permissions 0600 to be consistent with other kerberos log files.

Comment 1 Robbie Harwood 2015-12-17 20:16:08 UTC
Patch submitted for consideration upstream.

Comment 2 Fedora Update System 2016-01-21 22:07:35 UTC
krb5-1.14-6.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-35cee11780

Comment 3 Robbie Harwood 2016-01-21 22:08:49 UTC
I've fixed this in rawhide and f23.  If it is needed in f22, please reopen this and let me know.

Comment 4 Fedora Update System 2016-01-24 04:51:22 UTC
krb5-1.14-6.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-35cee11780

Comment 5 Fedora Update System 2016-01-28 18:22:44 UTC
krb5-1.14-6.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.