Description of problem: SECURITY - notifier.log contains value of MAIL_PASSWORD if not empty! This file is world-readable! # su -s /bin/sh nobody -c 'grep -q MAIL_PASSWORD /var/log/ovirt-engine/notifier/notifier.log && echo found_pattern' found_pattern -%- # grep MAIL_PASS /etc/ovirt-engine/notifier/notifier.conf MAIL_PASSWORD=foobar # grep MAIL_PASS /var/log/ovirt-engine/notifier/notifier.log | tail -n1 2013-10-18 13:59:42,048 INFO [org.ovirt.engine.core.utils.LocalConfig] Value of property "MAIL_PASSWORD" is "foobar". Version-Release number of selected component (if applicable): is19 How reproducible: 100% Steps to Reproduce: 1. MAIL_ENABLE_SSL=true, MAIL_SERVER=$smtp_server, MAIL_USER=$auth-name, MAIL_PASSWORD=$auth-password defined in /etc/ovirt-engine/notifier/notifier.conf 2. restart ovirt-engine-notifier 3. see MAIL_PASSWORD in notifier.log Actual results: password define in conf file is visible plaintext in log file! Expected results: do not show password as it can leak Additional info:
There is a configuration key called SENSITIVE_KEYS which is a comma separated list of hidden configuration keys. patch proposed upstream adding MAIL_PASSWORD to ovirt-engine-notifier.conf.
ok, is22.
Closing - RHEV 3.3 Released