Bug 1163451 - ~/.pulp/ is world readable
Summary: ~/.pulp/ is world readable
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Pulp
Classification: Retired
Component: z_other
Version: 2.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 2.6.0
Assignee: Michael Hrivnak
QA Contact: Irina Gulina
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-11-12 17:47 UTC by Brian Bouterse
Modified: 2015-02-28 22:44 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-02-28 22:44:08 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Pulp Redmine 614 0 None None None Never

Description Brian Bouterse 2014-11-12 17:47:50 UTC
~/.pulp/ has permissions 775 which is insecure.

I expect ~/.pulp/ to have permissions 700 so that other users cannot read files within here. This is important for another bug [0] BZ 1159067 which puts username/password info into ~/.pulp/admin.conf

We can't automatically secure ~/.pulp/admin.conf because the user creates that file. We should set 700 on the folder level.

[0]: https://bugzilla.redhat.com/show_bug.cgi?id=1159067

Comment 1 Michael Hrivnak 2014-11-20 00:10:43 UTC
https://github.com/pulp/pulp/pull/1339

Comment 2 Chris Duryee 2014-12-23 20:52:53 UTC
fixed in pulp 2.6.0-0.2.beta

Comment 3 Irina Gulina 2014-12-24 00:09:25 UTC
Now if /root/.pulp/ doesn't have 0700 permissions, the warining will be shown with pulp-admin or pulp-consumer command.


>> rpm -qa | grep pulp-server
pulp-server-2.6.0-0.2.beta.fc20.noarch

>> pulp-admin login -u admin -p pass
Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

Successfully logged in. Session certificate will expire at Dec 30 22:53:54 2014
GMT.

>> chmod 0700 -R /root/.pulp/
>> pulp-admin login -u admin -p pass 
Successfully logged in. Session certificate will expire at Dec 30 23:01:34 2014
GMT.

>> chmod 0740 -R /root/.pulp/
>> pulp-admin repo list --summary
Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

>> pulp-consumer status
Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

This consumer is not currently registered.

If it was deleted/moved, a new created folder ~/.pulp will have 0700.

>> mv ~/.pulp/ ~/.pulp_1/
>> pulp-consumer status
This consumer is not currently registered.

>>pulp-admin login -u admin -p wrongpass
The specified user does not have permission to execute the given command

>> ls -la  ~/ | grep pulp
drwxr-xr-x.  2 root root  4096 Nov  4 13:53 for_pulp_uploads
drwx------.  2 root root  4096 Dec 24 00:03 .pulp
drwxr-----.  3 root root  4096 Dec 23 23:02 .pulp_1

Comment 4 Brian Bouterse 2015-02-28 22:44:08 UTC
Moved to https://pulp.plan.io/issues/614


Note You need to log in before you can comment on or make changes to this bug.