Bug 1002559 - oo-diagnostics should check the mode on important files
oo-diagnostics should check the mode on important files
Status: CLOSED ERRATA
Product: OpenShift Container Platform
Classification: Red Hat
Component: Pod (Show other bugs)
1.2.0
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Luke Meyer
libra bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-29 08:55 EDT by Brenton Leanhardt
Modified: 2017-03-08 12 EST (History)
4 users (show)

See Also:
Fixed In Version: rubygem-openshift-origin-common-1.22.5.6-1.el6op
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-06-23 03:37:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Brenton Leanhardt 2013-08-29 08:55:26 EDT
Description of problem:

This is related to Bug #1001833.  We should add a test that checks the mode/ownership for important configuration files and directories.
Comment 2 Brenton Leanhardt 2013-09-30 16:34:12 EDT
We should also add sanity checks that make sure files containing passwords do not have their modes set too loosely.
Comment 3 Luke Meyer 2014-03-24 14:42:07 EDT
In OSE 2.1 oo-diagnostics#test_apache_can_read_conf_files covers most of this. I missed Gemfile.lock and maybe others.

A lot of the conf files are owned by root and read by apache. That makes it kind of tricky to keep them locked down. I suppose they could be "chown root:apache" and "chmod o-rwx" ?

Anything else specifically needed here?
Comment 4 Brenton Leanhardt 2014-03-24 14:45:39 EDT
Nothing specific.  We were just thinking any incremental improvement would be nice.  Hard to add tests for everything that could break.  The Gemfile.lock was the only think specifically called out in Bug #1001833.
Comment 5 Luke Meyer 2014-03-27 14:51:13 EDT
I'm going to note that oo-diagnostics#test_apache_can_read_conf_files now complains about this:

/var/www/openshift/console/httpd/conf.d/openshift-origin-auth-remote-user.conf

However, that's actually incorrect. There is no need for the apache user to read apache conf files, because root reads them (and then forks to become apache user). And since this file in particular could have sensitive data for authenticating to ldap, we don't want to complain about it.

Omit httpd conf files from the test. However, openshift code/content and conf files are read after the setuid (by passenger actually) so they do need to be covered.
Comment 6 Luke Meyer 2014-03-27 14:58:49 EDT
Also it complains about the vhost confs:

/var/lib/openshift/.httpd.d/53346053c716b66c01000009_demo_asdfasdfasdf.example.com/asdfasdfasdf.example.com.crt
/var/lib/openshift/.httpd.d/53346053c716b66c01000009_demo_asdfasdfasdf.example.com/asdfasdfasdf.example.com.key

certs and keys shouldn't be a problem, they're read by root only.

apache *does* need to be able to read the .db files from mod_rewrite at runtime, although those seem unlikely to be touched by the admin.
Comment 7 Luke Meyer 2014-05-23 11:08:14 EDT
Fixing this upstream.

https://github.com/openshift/origin-server/pull/5444
Comment 8 Luke Meyer 2014-05-29 13:01:36 EDT
Adding to OSE cherrypicks:
https://github.com/openshift/enterprise-server/pull/283
Comment 11 Ma xiaoqiang 2014-06-11 06:53:20 EDT
check on puddle [2.1.z/2014-06-10]
scenario 1:touch the following files, and modify the permission
-rw-------. 1 root   root      0 /etc/openshift/test.conf
-rw-------. 1 root   root      0 /var/www/openshift/broker/test.conf
-rw-------. 1 root   root      0 /var/www/openshift/console/test.conf
-rw-------. 1 root   root      0 /var/lib/openshift/.httpd.d/test.db
run "oo-diagnostics test_apache_can_read_conf_files"
Output
The following configuration files have names and locations indicating
        that the apache user should be able to read them, but are not readable
        by the apache user:
          
          /etc/openshift/test.conf
          /var/www/openshift/broker/test.conf
          /var/www/openshift/console/test.conf
          /var/lib/openshift/.httpd.d/test.db

Scenario 2: 
#cd /var/www/openshift/console/httpd
#chown root:root console.conf; chmod 0600 console.conf
# chown root:root conf.d/openshift-origin-auth-remote-user.conf; chmod 0600 conf.d/openshift-origin-auth-remote-user.conf
#/etc/init.d/httpd restart
/etc/init.d/openshift-console restart

No error message is given out, and access the console successfully!
Comment 12 Luke Meyer 2014-06-12 13:27:39 EDT
I think several pre-fork commits may have helped address this, but this one was also related:

commit e2a5e3e3f7e3227b3b96ccf85831a923bec96cd0
Commit:     Luke Meyer <lmeyer@redhat.com>
CommitDate: Thu May 29 11:59:50 2014 -0400

    diagnostics: fix errant warning on httpd conf #cherrypick

    origin-server:
    commit 366ef378d8ee735b877c92d6799cc703da0b6bd6
    Author: Luke Meyer <lmeyer@redhat.com>
    Date:   Fri May 23 10:54:24 2014 -0400

    test_apache_can_read_conf_files is intended to warn when the apache user
    cannot read files it needs to. The files being checked are overly broad;
    since httpd reads all of its configuration as root before switching to
    apache user, none of that needs to be apache-readable. Instead, just
    check files that apache will actually be reading at runtime. Everything
    related to Rails apps falls into this category.
Comment 14 errata-xmlrpc 2014-06-23 03:37:21 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-0781.html

Note You need to log in before you can comment on or make changes to this bug.