Bug 1088756 – Wrong permission for configuration file /etc/sysconfig/virt-who

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1088756 - Wrong permission for configuration file /etc/sysconfig/virt-who

Summary:	Wrong permission for configuration file /etc/sysconfig/virt-who

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	virt-who (Show other bugs)
Sub Component:
Version:	5.11
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Radek Novacek
QA Contact:	gaoshang
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:	CVE-2014-0189
	Show dependency tree / graph

Reported:	2014-04-17 02:51 EDT by Radek Novacek
Modified:	2016-11-30 19:32 EST (History)
CC List:	3 users (show)

See Also:
Fixed In Version:	virt-who-0.9-2.el5
Doc Type:	Bug Fix
Doc Text:	Cause: Configuration file for virt-who had wrong permission and was world-readable, although it can contain passwords. Consequence: Any user could read the passwords from the configuration file. Fix: Change the permissions to be root-readable only. Result: Non-root users can't read passwords from the configuration files.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-09-15 20:29:29 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1206	normal	SHIPPED_LIVE	virt-who bug fix and enhancement update	2014-09-16 00:16:42 EDT

Groups: None (edit)

Description Radek Novacek 2014-04-17 02:51:06 EDT

Configuration file /etc/sysconfig/virt-who may contain passwords but its permissions are 644 (rw-r--r--). It should be 600 (rw-------) to prevent non-root users to read the configuration file.

Comment 1 RHEL Product and Program Management 2014-04-17 03:18:20 EDT

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 2 Radek Novacek 2014-04-17 04:07:45 EDT

Fixed in virt-who-0.9-2.el5.

The fix only affects new installations (when the config file not yet exists), it might break some user workflow when we would change that for existing installations.

Comment 4 Liushihui 2014-04-27 23:36:45 EDT

Verified on virt-who-0.9-2.el5
Configuration file /etc/sysconfig/virt-who permissions has updated to 600 (rw-------)
[root@dhcp-128-110 libvirt-test-API]# ls -al /etc/sysconfig/virt-who 
-rw------- 1 root root 2088 Apr 27 21:55 /etc/sysconfig/virt-who

Comment 6 errata-xmlrpc 2014-09-15 20:29:29 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1206.html

Note You need to log in before you can comment on or make changes to this bug.