Bug 1285986 - python-lago opens firewall ports without user consent
python-lago opens firewall ports without user consent
Status: CLOSED DEFERRED
Product: ovirt-system-tests
Classification: Community
Component: Packaging.rpm (Show other bugs)
0.4
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: David Caro
Pavel Stehlik
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-27 02:08 EST by Sandro Bonazzola
Modified: 2016-06-26 19:51 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-01-27 13:59:22 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sandro Bonazzola 2015-11-27 02:08:19 EST
Description of problem:
while installing lago on FC23 I have:

Installazione in corso: python-lago-ovirt-0.4-0.4.fc23.noarch               3/4 
FirewallD is not running
FirewallD is not running
FirewallD is not running
avvertimento: scriptlet %post(python-lago-ovirt-0.4-0.4.fc23.noarch) fallita, uscita con stato 252
Non-fatal POSTIN scriptlet failure in rpm package python-lago-ovirt
Non-fatal POSTIN scriptlet failure in rpm package python-lago-ovirt

Rpms shouldn't mess with the firewall in %post. Especially it shouldn't open ports without user consent.

I see in %post:
if [ "$1" -eq 1 ]; then
	firewall-cmd --reload
	firewall-cmd --permanent --zone=public --add-service=lago
	firewall-cmd --reload
fi

Adding lago to services in firewalld is a security issue and should be dropped.
It's admin task to open it if needed.

See https://fedoraproject.org/wiki/PackagingDrafts/ScriptletSnippets/Firewalld
about firewalld reload.


version: lago-0.4
Comment 1 David Caro 2016-01-27 13:59:22 EST
Moved to https://github.com/lago-project/lago/issues/46

Note You need to log in before you can comment on or make changes to this bug.