1028748 – answer files are world-readable and contain passwords

Bug 1028748 - answer files are world-readable and contain passwords

Summary: answer files are world-readable and contain passwords

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat Enterprise Virtualization Manager
Classification:	Red Hat
Component:	ovirt-engine-setup
Sub Component:
Version:	3.3.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	---
Target Release:	3.3.0
Assignee:	Alon Bar-Lev
QA Contact:	Jiri Belka
Docs Contact:
URL:
Whiteboard:	integration
Depends On:
Blocks:	1020187 3.3snap3
TreeView+	depends on / blocked

Reported:	2013-11-10 11:49 UTC by Yedidyah Bar David
Modified:	2014-01-21 22:26 UTC (History)
CC List:	15 users (show)
Fixed In Version:	is24
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-01-21 22:20:17 UTC
oVirt Team:	---
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
oVirt gerrit	21198	None	None	None	Never
oVirt gerrit	21201	None	None	None	Never
oVirt gerrit	21249	None	None	None	Never

Description Yedidyah Bar David 2013-11-10 11:49:37 UTC

Description of problem:

Answer files are created world-readable by setup/upgrade/cleanup and contain passwords.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. engine-setup or engine-cleanup
2.
3.

Actual results:

A file is created in /var/lib/ovirt-engine/setup/answers world-readable and contains password(s)

Expected results:

Create these files root-readable only. Perhaps also provide an option to not save passwords there.

Additional info:

Comment 1 Yedidyah Bar David 2013-11-10 11:51:15 UTC

We might consider also adding somewhere instructions about changing permissions for existing files. Not very relevant to RHEV (except for beta testers etc.), relevant for upstream 3.3.

Comment 2 Alon Bar-Lev 2013-11-10 12:08:53 UTC

(In reply to Yedidyah Bar David from comment #0)
> Create these files root-readable only. Perhaps also provide an option to not
> save passwords there.

Using mask of 0600 should be sufficient, please avoid explicitly using root unless absolutely required, usually this is to interact with other packages.

(In reply to Yedidyah Bar David from comment #1)
> We might consider also adding somewhere instructions about changing
> permissions for existing files. Not very relevant to RHEV (except for beta
> testers etc.), relevant for upstream 3.3.

just add plugin to fix permissions on /var/lib/ovirt-engine/setup/answers/* will be simpler, no?

Comment 3 Sandro Bonazzola 2013-11-14 10:26:07 UTC

Merged upstream on master, 3.3 and 3.3.1 branches.

Comment 4 Jiri Belka 2013-11-20 14:54:37 UTC

ok, is24.

# ls -l /var/lib/ovirt-engine/setup/answers/ /root/rhevm-answer 
-rw-------. 1 root root 1475 Nov 20 15:52 /root/rhevm-answer

/var/lib/ovirt-engine/setup/answers/:
total 12
-rw-------. 1 root root 1493 Nov 18 14:47 20131118144720-setup.conf
-rw-------. 1 root root 1475 Nov 20 12:56 20131120125645-upgrade.conf
-rw-------. 1 root root 1475 Nov 20 15:52 20131120155234-upgrade.conf

Comment 5 Itamar Heim 2014-01-21 22:20:17 UTC

Closing - RHEV 3.3 Released

Comment 6 Itamar Heim 2014-01-21 22:26:00 UTC

Closing - RHEV 3.3 Released

Note You need to log in before you can comment on or make changes to this bug.