Bug 646510
| Summary: | PowerDNS configuration is world-readable while it can contain passwords | ||
|---|---|---|---|
| Product: | [Fedora] Fedora EPEL | Reporter: | Nils Breunese <nils> |
| Component: | pdns | Assignee: | Morten Stevens <mstevens> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | el5 | CC: | mstevens, ruben |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-11-17 01:03:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Nils Breunese
2010-10-25 14:19:31 UTC
But it doesn't contain a password by default, does it? The webserver is also not started by default. What I'm getting at is that if you take the effort to enable the webserver, you could also just make the config file not world-readable. It doesn't contain a password by default, but when using a backend which requires a password the same applies. I believe the gmysql backend is the most used backend, which needs the gmysql-password setting in pdns.conf. Yes, the admin could make the config file not world-readable, but since it is so common to have passwords in there I think it should just be not world-readable by default. Fair point :-) I'll make the change. Hmm, this is harder than I thought. I'm wondering if it's enough to make the owner/group root:root, or if the pdns user also has to be able to read that file. In the latter case we have to do some mangling of the permissions in %post, since the pdns user doesn't exist at %install time. What do you think? My /etc/pdns/pdns.conf is 0600 and owned by root:root. Works just fine, so I don't think the pdns user has to be able to read that file. I believe the file is already owned by root:root in the current release, so only the mode needs to be changed to 0600 AFAIK. pdns-3.1-5.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/pdns-3.1-5.fc18 pdns-3.1-4.fc17 has been submitted as an update for Fedora 17. https://admin.fedoraproject.org/updates/pdns-3.1-4.fc17 pdns-3.1-4.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/pdns-3.1-4.fc16 Package pdns-3.1-5.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing pdns-3.1-5.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-16534/pdns-3.1-5.fc18 then log in and leave karma (feedback). This bug report is for EPEL5. Will this also be fixed for the packages in EPEL? (In reply to comment #10) > This bug report is for EPEL5. Will this also be fixed for the packages in > EPEL? Yes, I'll fix this also for epel5 and epel6. pdns-2.9.22.6-2.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/pdns-2.9.22.6-2.el6 pdns-2.9.22-5.el5 has been submitted as an update for Fedora EPEL 5. https://admin.fedoraproject.org/updates/pdns-2.9.22-5.el5 pdns-3.1-1.el6 has been submitted as an update for Fedora EPEL 6. https://admin.fedoraproject.org/updates/pdns-3.1-1.el6 pdns-2.9.22-6.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |