Description of problem: Config and datadir of redis have suspiciously weak permissions. It seems an attacker would be able to read data content easily and also password is often stored in plaintext in /etc/redis.conf. Version-Release number of selected component (if applicable): redis-3.0.6-3.fc24.x86_64 How reproducible: every-time Steps to Reproduce: 1. ls -l /etc/redis* 2. ls -ld /var/lib/redis* Actual results: -rw-r--r--. 1 redis root 41599 Feb 8 2016 /etc/redis.conf -rw-r--r--. 1 redis root 7355 Feb 8 2016 /etc/redis-sentinel.conf drwxr-xr-x. 2 redis redis 4096 Sep 9 14:29 /var/lib/redis Expected results: -rw-r-----. 1 redis root 41599 Feb 8 2016 /etc/redis.conf -rw-r-----. 1 redis root 7355 Feb 8 2016 /etc/redis-sentinel.conf drwx------. 2 redis redis 4096 Sep 9 14:29 /var/lib/redis
Probably same things for /var/log/redis
See http://pkgs.fedoraproject.org/cgit/rpms/redis.git?h=private-cleanup
This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle. Changing version to '26'.
This was resolved in the redis-3.2.3-2 build; marking as done.