Red Hat Bugzilla – Bug 1002559
oo-diagnostics should check the mode on important files
Last modified: 2017-03-08 12:38 EST
Description of problem:
This is related to Bug #1001833. We should add a test that checks the mode/ownership for important configuration files and directories.
We should also add sanity checks that make sure files containing passwords do not have their modes set too loosely.
In OSE 2.1 oo-diagnostics#test_apache_can_read_conf_files covers most of this. I missed Gemfile.lock and maybe others.
A lot of the conf files are owned by root and read by apache. That makes it kind of tricky to keep them locked down. I suppose they could be "chown root:apache" and "chmod o-rwx" ?
Anything else specifically needed here?
Nothing specific. We were just thinking any incremental improvement would be nice. Hard to add tests for everything that could break. The Gemfile.lock was the only think specifically called out in Bug #1001833.
I'm going to note that oo-diagnostics#test_apache_can_read_conf_files now complains about this:
However, that's actually incorrect. There is no need for the apache user to read apache conf files, because root reads them (and then forks to become apache user). And since this file in particular could have sensitive data for authenticating to ldap, we don't want to complain about it.
Omit httpd conf files from the test. However, openshift code/content and conf files are read after the setuid (by passenger actually) so they do need to be covered.
Also it complains about the vhost confs:
certs and keys shouldn't be a problem, they're read by root only.
apache *does* need to be able to read the .db files from mod_rewrite at runtime, although those seem unlikely to be touched by the admin.
Fixing this upstream.
Adding to OSE cherrypicks:
check on puddle [2.1.z/2014-06-10]
scenario 1:touch the following files, and modify the permission
-rw-------. 1 root root 0 /etc/openshift/test.conf
-rw-------. 1 root root 0 /var/www/openshift/broker/test.conf
-rw-------. 1 root root 0 /var/www/openshift/console/test.conf
-rw-------. 1 root root 0 /var/lib/openshift/.httpd.d/test.db
run "oo-diagnostics test_apache_can_read_conf_files"
The following configuration files have names and locations indicating
that the apache user should be able to read them, but are not readable
by the apache user:
#chown root:root console.conf; chmod 0600 console.conf
# chown root:root conf.d/openshift-origin-auth-remote-user.conf; chmod 0600 conf.d/openshift-origin-auth-remote-user.conf
No error message is given out, and access the console successfully!
I think several pre-fork commits may have helped address this, but this one was also related:
Commit: Luke Meyer <email@example.com>
CommitDate: Thu May 29 11:59:50 2014 -0400
diagnostics: fix errant warning on httpd conf #cherrypick
Author: Luke Meyer <firstname.lastname@example.org>
Date: Fri May 23 10:54:24 2014 -0400
test_apache_can_read_conf_files is intended to warn when the apache user
cannot read files it needs to. The files being checked are overly broad;
since httpd reads all of its configuration as root before switching to
apache user, none of that needs to be apache-readable. Instead, just
check files that apache will actually be reading at runtime. Everything
related to Rails apps falls into this category.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.