Bug 766929

Summary: database.yml is world-readable
Product: [Retired] CloudForms Cloud Engine Reporter: Matt Wagner <matt.wagner>
Component: aeolus-conductorAssignee: John Eckersberg <jeckersb>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, athomas, deltacloud-maint, morazi, slinaber, ssachdev
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt Wagner 2011-12-12 19:52:29 UTC 
Description of problem:
The installed /usr/share/aeolus-conductor/config/database.yml file with database credentials appears to be world-readable:

 $ ls -lh /etc/aeolus-conductor/database.yml 
lrwxrwxrwx. 1 root root 47 Dec  7 14:28 /etc/aeolus-conductor/database.yml -> /usr/share/aeolus-conductor/config/database.yml

$ ls -lh /usr/share/aeolus-conductor/config/database.yml
-rw-r--r--. 1 root root 1.7K Dec  7 14:27 /usr/share/aeolus-conductor/config/database.yml

This permits any user with shell access on the box to obtain the credentials used to connect to Conductor's database, which they could then use to connect and manipulate the database.

Version-Release number of selected component (if applicable):
Probably all, but specifically aeolus-conductor-0.8.0-0.20111207192649gitacd1159.fc15.noarch


Expected results:
Random users cannot read the database config. (It should probably be owned by the aeolus user with group/world having no privileges.)
Comment 1 John Eckersberg 2011-12-21 22:18:21 UTC 
commit 70ed177dd3acd05a818c30ad157ba391f9197082
Author: John Eckersberg <jeckersb>
Date:   Wed Dec 21 16:47:06 2011 -0500

    BZ#766929 - database.yml is world-readable
    
    https://bugzilla.redhat.com/show_bug.cgi?id=766929
Comment 2 wes hayutin 2012-01-03 17:41:45 UTC 
adding ce-sprint-next bugs to ce-sprint
Comment 3 Steve Linabery 2012-01-10 21:16:36 UTC 
commit b068c7d61039aedb387e22ec7ad3149524b611f9 on conductor 0.8.x branch
Comment 4 wes hayutin 2012-01-12 16:17:04 UTC 
bugs in verified or on_qa moving off tracker
Comment 5 Aziza Karol 2012-01-18 12:44:43 UTC 
database.yml is now owned by aeolus user.

# ls -lh /usr/share/aeolus-conductor/config/database.yml
-rw-r-----. 1 root aeolus 1.7K Jan 16 12:59 /usr/share/aeolus-conductor/config/database.yml

#rpm -qa | grep aeolus
aeolus-conductor-doc-0.8.0-7.el6.noarch
rubygem-aeolus-image-0.3.0-2.el6.noarch
rubygem-aeolus-cli-0.3.0-3.el6.noarch
aeolus-all-0.8.0-7.el6.noarch
aeolus-conductor-0.8.0-7.el6.noarch
aeolus-configure-2.5.0-4.el6.noarch
aeolus-conductor-daemons-0.8.0-7.el6.noarch