Bug 1540627

Summary: logs are world-readable
Product: [oVirt] ovirt-engine-dwh Reporter: Yedidyah Bar David <didi>
Component: Packaging.rpmAssignee: Ido Rosenzwig <irosenzw>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: medium    
Version: 4.2.0CC: bugs, lsvaty, lveyde, pstehlik, sbonazzo, sradco, ylavi
Target Milestone: ovirt-4.2.2Flags: rule-engine: ovirt-4.2+
rule-engine: exception+
sbonazzo: devel_ack+
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovirt-engine-dwh-4.2.2.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1540622 Environment:
Last Closed: 2018-03-29 11:13:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1475130, 1631198, 1631202    

Description Yedidyah Bar David 2018-01-31 14:38:32 UTC 
Same as below, for /var/log/ovirt-engine-dwh

+++ This bug was initially created as a clone of Bug #1540622 +++

Description of problem:

/var/log/ovirt-engine, including everything underneath, is world-readable.

We protect sensitive information by filtering it out of these logs, but when we add new such information, sometimes a rather long time passes between adding it and someone noticing that it's not filtered out.

So we should make all these directories readable only as needed.

Didn't check what's the minimum that's working well - since we have there things written by user 'ovirt' and other things by user 'root', need to verify that if we change to ovirt:ovirt 0700, root is not prevented access (e.g. by selinux), or find some other solution.

Version-Release number of selected component (if applicable):

Forever.

How reproducible:

100%

Steps to Reproduce:
1. Setup engine
2. Add a host
3.

Actual results:

All logs are readable by every local user on the machine.

Expected results:

All relevant logs are readable (at most) by users ovirt and root.

Additional info:
Comment 1 Red Hat Bugzilla Rules Engine 2018-02-15 16:13:02 UTC 
Target release should be placed once a package build is known to fix a issue. Since this bug is not modified, the target version has been reset. Please use target milestone to plan a fix for a oVirt release.
Comment 2 Jiri Belka 2018-03-07 12:03:17 UTC 
ok, ovirt-engine-dwh-setup-4.2.2.1-1.el7ev.noarch
Comment 3 Sandro Bonazzola 2018-03-29 11:13:32 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.