Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1058807

Summary: [engine-iso-uploader] /etc/ovirt-engine/isouploader.conf is world readable (can contain password!)
Product: [Retired] oVirt Reporter: Jiri Belka <jbelka>
Component: ovirt-iso-uploaderAssignee: Sandro Bonazzola <sbonazzo>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Belka <jbelka>
Severity: medium Docs Contact:
Priority: medium    
Version: 3.4CC: acathrow, didi, gklein, iheim, sbonazzo, yeylon
Target Milestone: ---Keywords: EasyFix
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: integration
Fixed In Version: ovirt-3.4.0-beta3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1058810 (view as bug list) Environment:
Last Closed: 2014-03-31 12:26:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1058810    

Description Jiri Belka 2014-01-28 14:45:53 UTC
Description of problem:

/etc/ovirt-engine/isouploader.conf is world readable (can contain password!)

# ls -l /etc/ovirt-engine/isouploader.conf
-rw-r--r--. 1 root root 791 Nov 19 11:28 /etc/ovirt-engine/isouploader.conf
# grep -i pass /etc/ovirt-engine/isouploader.conf
# the oVirt Engine REST API password.
#passwd=PASSWORD

Version-Release number of selected component (if applicable):
ovirt-iso-uploader-3.4.0-0.1.beta1.el6.noarch / same in 3.3 + 3.2!

How reproducible:
100%

Steps to Reproduce:
1.
2.
3.

Actual results:
world readable

Expected results:
u=rw,g=r,o=

Additional info:
clone to 3.3.Z + 3.2.Z

Comment 1 Yedidyah Bar David 2014-01-28 14:53:59 UTC
Our automated scripts will never put a password there. I think it's up to the user to take care of this. Users can also create new files (for the password or other things) under /etc/ovirt-engine/isouploader.conf.d with whatever permissions they want.

Comment 2 Sandro Bonazzola 2014-01-28 14:58:13 UTC
I don't think this is really urgent as didi said. It's easy to fix.
We can change the permission on the files we ship in the rpm but user will always be responsible of the file he creates.

Comment 3 Sandro Bonazzola 2014-01-28 14:58:48 UTC
Note that this probably should be cloned to log-collector and image-uploader as well...

Comment 4 Sandro Bonazzola 2014-02-17 07:59:41 UTC
Merged on upstream and 3.4 branch

Comment 5 Jiri Belka 2014-02-19 14:12:38 UTC
ok, beta3

# ls -l /etc/ovirt-engine/isouploader.conf
-rw-r-----. 1 root root 791 Feb 17 10:44 /etc/ovirt-engine/isouploader.conf

Comment 6 Sandro Bonazzola 2014-03-31 12:26:54 UTC
this is an automated message: moving to Closed CURRENT RELEASE since oVirt 3.4.0 has been released