1088756 – Wrong permission for configuration file /etc/sysconfig/virt-who

Bug 1088756 - Wrong permission for configuration file /etc/sysconfig/virt-who

Summary: Wrong permission for configuration file /etc/sysconfig/virt-who

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	virt-who
Sub Component:
Version:	5.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Radek Novacek
QA Contact:	gaoshang
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2014-0189
TreeView+	depends on / blocked

Reported:	2014-04-17 06:51 UTC by Radek Novacek
Modified:	2016-12-01 00:32 UTC (History)
CC List:	3 users (show)
Fixed In Version:	virt-who-0.9-2.el5
Doc Type:	Bug Fix
Doc Text:	Cause: Configuration file for virt-who had wrong permission and was world-readable, although it can contain passwords. Consequence: Any user could read the passwords from the configuration file. Fix: Change the permissions to be root-readable only. Result: Non-root users can't read passwords from the configuration files.
Clone Of:
Environment:
Last Closed:	2014-09-16 00:29:29 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2014:1206	0	normal	SHIPPED_LIVE	virt-who bug fix and enhancement update	2014-09-16 04:16:42 UTC

Description Radek Novacek 2014-04-17 06:51:06 UTC

Configuration file /etc/sysconfig/virt-who may contain passwords but its permissions are 644 (rw-r--r--). It should be 600 (rw-------) to prevent non-root users to read the configuration file.

Comment 1 RHEL Program Management 2014-04-17 07:18:20 UTC

This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 2 Radek Novacek 2014-04-17 08:07:45 UTC

Fixed in virt-who-0.9-2.el5.

The fix only affects new installations (when the config file not yet exists), it might break some user workflow when we would change that for existing installations.

Comment 4 Liushihui 2014-04-28 03:36:45 UTC

Verified on virt-who-0.9-2.el5
Configuration file /etc/sysconfig/virt-who permissions has updated to 600 (rw-------)
[root@dhcp-128-110 libvirt-test-API]# ls -al /etc/sysconfig/virt-who 
-rw------- 1 root root 2088 Apr 27 21:55 /etc/sysconfig/virt-who

Comment 6 errata-xmlrpc 2014-09-16 00:29:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2014-1206.html

Note You need to log in before you can comment on or make changes to this bug.