It was identified that the Command Line Interface, as provided by Red Hat Enterprise Application Platform and WildFly (previously JBoss Application Server), created a history file named .jboss-cli-history in the user's home directory with insecure default file permissions. This could allow a malicious local user to gain information otherwise not accessible.
Within the server this class contains the approach previously used to set permissions on a folder: - https://github.com/wildfly/wildfly-core/blob/master/remoting/subsystem/src/main/java/org/jboss/as/remoting/RealmSecurityProviderService.java A script based solution may be possible but we do need to keep in mind users can update the configuration to alter the location of the history so a script would only be based on the default location. Also to add to this upstream I have the following task to re-visit file system permissions using the APIs available to us in Java 7: - https://issues.jboss.org/browse/WFLY-431 I don't think now is the time but maybe for EAP 6 we can explore a 'if using Java 7 use new API, otherwise use Java6 approach'.
A solution that handles the default case (via script), tries to fix permissions (if using Java 7) and warns if configuration is modified and permissions are unable to be set (if using Java 6 or earlier) would be, in my opinion, considered a sufficient fix taking into account supported deployments.
Upstream Issue: https://issues.jboss.org/browse/WFCORE-120
I would like to propose unembargoing this issue public as it is low severity.
unembargoed.
This issue has been addressed in the following products: JBoss Enterprise Application Platform 6.4.0 Via RHSA-2015:0849 https://rhn.redhat.com/errata/RHSA-2015-0849.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 6 Via RHSA-2015:0847 https://rhn.redhat.com/errata/RHSA-2015-0847.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 5 Via RHSA-2015:0846 https://rhn.redhat.com/errata/RHSA-2015-0846.html
This issue has been addressed in the following products: JBEAP 6.4.z for RHEL 7 Via RHSA-2015:0848 https://rhn.redhat.com/errata/RHSA-2015-0848.html
This issue has been addressed in the following products: JBoss Portal 6.2.0 Via RHSA-2015:1009 https://rhn.redhat.com/errata/RHSA-2015-1009.html
This issue as been addressed in JON 3.3.4 via a rebase of EAP 6.4.3