Bug 209929

Summary: insecure password and config files permissions
Product: [Fedora] Fedora Reporter: Lubos Stanek <lubek>
Component: ss5Assignee: Matteo Ricchetti <matteo.ricchetti>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: medium    
Version: 5CC: extras-qa
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-10-11 14:25:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubos Stanek 2006-10-08 13:02:52 UTC 
Description of problem:
The ss5 password file (ss5.passwd) and the config file (ss5.conf) is installed
with mode 0644, e.g. readable by everyone.
The password file contains clear text passwords.
The config file can contain ldap passwords.

Version-Release number of selected component (if applicable):
Any version ever released for Fedora Extras.

How reproducible:
Extract from the .spec file:
%defattr(644,root,root)
%config(noreplace) %{_sysconfdir}/opt/ss5/ss5.conf
%config(noreplace) %{_sysconfdir}/opt/ss5/ss5.passwd
%config(noreplace) %{_sysconfdir}/pam.d/ss5

Additional info:
These files should be readable only by the ss5 daemon which runs under the root
account, e.g. they should be mode 0640 or more securely mode 0600.
Maybe the SELinux rules could enhance it even more.
Comment 1 Matteo Ricchetti 2006-10-09 18:25:11 UTC 
I changed spec.file with 0640 mode and made a rebuild for Devel (FC-6).

Tell me if is ok and if I have to do it also for old dist (FC-4/5)

Thx.
Comment 2 Lubos Stanek 2006-10-11 09:56:12 UTC 
(In reply to comment #1)
Yes, it is definitely better.
I think that this change should be reflected in all builds. It enhances the
daemon files protection.
Maybe you could also check permissions in the application and log week permissions.

I am currently trying to make the selinux module for ss5. Tell me if you are
interrested. Use my address directly.
Comment 3 Matteo Ricchetti 2006-10-11 10:44:05 UTC 
OK, I'm going to fix also FC4/5

About SELinux, it could be very interesting, even if ss5 should works also for 
Solaris and FreeBSD.

Thx
Comment 4 Matteo Ricchetti 2006-10-11 10:44:53 UTC 
OK, I'm going to fix also FC4/5

About SELinux, it could be very interesting, even if ss5 should works also for 
Solaris and FreeBSD.

Thx
Comment 5 Lubos Stanek 2006-10-11 14:02:03 UTC 
(In reply to comment #4)
The SELinux does not mean changes to the application. It defines the rules,
limits and borders under which the application runs. (Ex.: it can read and write
to/from certain log file but it cannot read other files. You can imagine
something like chroot.)
The source and other ports will remain unchanged.
The SELinux module can be used by anyone trying to protect ss5 under SELinux. If
Solaris or FeeeBSD uses SELinux, it can use the module as well.
Look at pure_ftpd in Extras.

Close this bug, it is solved.

I hope that one and only response will suffice. :)
Comment 6 Matteo Ricchetti 2006-10-11 14:25:42 UTC 
Closed