Bug 796417

Summary: imagefactory.log permissions are too open by default
Product: [Retired] CloudForms Cloud Engine Reporter: Brad P. Crochet <brad>
Component: imagefactoryAssignee: Steve Loranz <sloranz>
Status: CLOSED ERRATA QA Contact: Martin Kočí <mkoci>
Severity: high Docs Contact:
Priority: unspecified    
Version: 1.0.0CC: akarol, brad, dajohnso, deltacloud-maint, dgao, hbrock, imcleod, nobody, sloranz, ssachdev, whayutin
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-05-15 20:22:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Brad P. Crochet 2012-02-22 20:34:15 UTC 
Default perms are 0666. This is very bad.

At the least, they should be 0664, better would be 0644, best would be 0600 (since the logs currently may contain sensitive information)

[root@qeblade33 log]# ls -l imagefactory.log 
-rw-rw-rw-. 1 root root 30755 Feb 22 14:48 imagefactory.log
Comment 1 Hugh Brock 2012-02-24 15:52:31 UTC 
Two questions:

1. What sensitive information does the image factory log contain?

2. What sets the perms on the log, factory or configure?
Comment 2 Ian McLeod 2012-02-24 16:28:51 UTC 
We've made several changes to avoid having passwords in the log.  Beyond that, I don't know what would be in it that is worth protecting.
Comment 3 Steve Loranz 2012-02-24 16:41:27 UTC 
https://github.com/aeolusproject/imagefactory/pull/92
Comment 4 Ian McLeod 2012-02-24 19:22:46 UTC 
Commit pulled into release branch as:

https://github.com/aeolusproject/imagefactory/commit/0115e304e28ac1a9cb0e8d1c59c250c13227e081

Brewed as 1.0.0rc7
Comment 5 Shveta 2012-02-27 09:43:21 UTC 
[root@dell-per805-01 log]# ls -l imagefactory.log 
-rw-------. 1 root root 23865 Feb 27 04:41 imagefactory.log


Verified in
rpm -qa|grep aeolus
aeolus-conductor-0.8.0-36.el6.noarch
rubygem-aeolus-cli-0.3.0-10.el6.noarch
aeolus-conductor-daemons-0.8.0-36.el6.noarch
aeolus-configure-2.5.0-15.el6.noarch
rubygem-aeolus-image-0.3.0-10.el6.noarch
aeolus-all-0.8.0-36.el6.noarch
aeolus-conductor-doc-0.8.0-36.el6.noarch
Comment 6 errata-xmlrpc 2012-05-15 20:22:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2012-0588.html