Bug 1540622

Summary: logs are world-readable
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: Packaging.rpmAssignee: Ido Rosenzwig <irosenzw>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2.0CC: bugs, lsvaty, ylavi
Target Milestone: ovirt-4.2.2Flags: rule-engine: ovirt-4.2+
rule-engine: exception+
sbonazzo: devel_ack+
Target Release: 4.2.2.2   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1540627 (view as bug list) Environment:
Last Closed: 2018-03-29 11:17:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1542511    

Description Yedidyah Bar David 2018-01-31 14:36:43 UTC 
Description of problem:

/var/log/ovirt-engine, including everything underneath, is world-readable.

We protect sensitive information by filtering it out of these logs, but when we add new such information, sometimes a rather long time passes between adding it and someone noticing that it's not filtered out.

So we should make all these directories readable only as needed.

Didn't check what's the minimum that's working well - since we have there things written by user 'ovirt' and other things by user 'root', need to verify that if we change to ovirt:ovirt 0700, root is not prevented access (e.g. by selinux), or find some other solution.

Version-Release number of selected component (if applicable):

Forever.

How reproducible:

100%

Steps to Reproduce:
1. Setup engine
2. Add a host
3.

Actual results:

All logs are readable by every local user on the machine.

Expected results:

All relevant logs are readable (at most) by users ovirt and root.

Additional info:
Comment 1 Jiri Belka 2018-03-07 12:02:06 UTC 
ok, ovirt-engine-setup-base-4.2.2.2-0.1.el7.noarch

both clean install and upgrade
Comment 2 Sandro Bonazzola 2018-03-29 11:17:23 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.