Bug 1374717

Summary: Suspicious permissions for configs and data
Product: Red Hat Software Collections Reporter: Honza Horak <hhorak>
Component: redisAssignee: Remi Collet <rcollet>
Status: CLOSED ERRATA QA Contact: Jakub Prokes <jprokes>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rh-redis32CC: extras-qa, fabian.deutsch, fpercoco, i, jal233, jprokes, rcollet
Target Milestone: beta   
Target Release: 2.3   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1374700 Environment:
Last Closed: 2016-11-15 10:16:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1374700    
Bug Blocks: 1374713, 1390588    

Description Honza Horak 2016-09-09 13:08:56 UTC 
I haven't checked but I suspect it will be similar in SCL.

+++ This bug was initially created as a clone of Bug #1374700 +++

Description of problem:
Config and datadir of redis have suspiciously weak permissions. It seems an attacker would be able to read data content easily and also password is often stored in plaintext in /etc/redis.conf.

Version-Release number of selected component (if applicable):
redis-3.0.6-3.fc24.x86_64

How reproducible:
every-time

Steps to Reproduce:
1. ls -l /etc/redis*
2. ls -ld /var/lib/redis*

Actual results:
-rw-r--r--. 1 redis root 41599 Feb  8  2016 /etc/redis.conf
-rw-r--r--. 1 redis root  7355 Feb  8  2016 /etc/redis-sentinel.conf
drwxr-xr-x. 2 redis redis 4096 Sep  9 14:29 /var/lib/redis

Expected results:
-rw-r-----. 1 redis root 41599 Feb  8  2016 /etc/redis.conf
-rw-r-----. 1 redis root  7355 Feb  8  2016 /etc/redis-sentinel.conf
drwx------. 2 redis redis 4096 Sep  9 14:29 /var/lib/redis
Comment 7 errata-xmlrpc 2016-11-15 10:16:21 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2745.html