1256735 – krb5kdc.log file is world-readable on IPA

Bug 1256735 - krb5kdc.log file is world-readable on IPA

Summary: krb5kdc.log file is world-readable on IPA

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	7.2
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Marek Marusic
Docs Contact:
URL:
Whiteboard:
Depends On:	1276484
Blocks:	1292074 1292523
TreeView+	depends on / blocked

Reported:	2015-08-25 11:10 UTC by Sudhir Menon
Modified:	2016-11-03 20:22 UTC (History)
CC List:	6 users (show)
Fixed In Version:	krb5-1.14.1-4.el7
Doc Type:	No Doc Update
Doc Text:	undefined
Clone Of:
Clones:	1276484 1292523 (view as bug list)
Environment:
Last Closed:	2016-11-03 20:22:47 UTC
Target Upstream Version:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:2591	0	normal	SHIPPED_LIVE	Low: krb5 security, bug fix, and enhancement update	2016-11-03 12:10:29 UTC

Description Sudhir Menon 2015-08-25 11:10:51 UTC

Description of problem: krb5kdc.log file is world-readable

Version-Release number of selected component (if applicable):

[root@ipaserver log]# rpm -qa | grep ipa-server
ipa-server-4.2.0-5.el7.x86_64
ipa-server-trust-ad-4.2.0-5.el7.x86_64
ipa-server-dns-4.2.0-5.el7.x86_64
krb5-server-1.13.2-8.el7.x86_64

How reproducible:Always


Steps to Reproduce:
1. Login to IPA server.
2. Navigate to /var/log directory
3. Check the permission of the krb5kdc.log

Actual results: krb5kdc.log file is world-readable.

-rw-------. 1 root   root          25381 Aug 25 15:42 kadmind.log
-rw-r--r--. 1 root   root        1396050 Aug 25 16:30 krb5kdc.log


Expected results: krb5kdc.log shouldn't be world-readable unless needed and also keeping permissions 0600 to be consistent with other kerberos log files.

Additional Info: Logging this bug after having a word with Roland.

Comment 2 Martin Kosek 2015-08-26 08:27:32 UTC

Moving to krb5 component, given it is krb5 question.

Comment 12 errata-xmlrpc 2016-11-03 20:22:47 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2016-2591.html

Note You need to log in before you can comment on or make changes to this bug.