1374700 – Suspicious permissions for configs and data

Bug 1374700 - Suspicious permissions for configs and data

Summary: Suspicious permissions for configs and data

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	redis
Sub Component:
Version:	26
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Flavio Percoco
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1374713 1374717 CVE-2016-2121
TreeView+	depends on / blocked

Reported:	2016-09-09 13:01 UTC by Honza Horak
Modified:	2017-07-21 05:30 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	1374713 1374717 (view as bug list)
Environment:
Last Closed:	2017-07-21 05:30:00 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Honza Horak 2016-09-09 13:01:25 UTC

Description of problem:
Config and datadir of redis have suspiciously weak permissions. It seems an attacker would be able to read data content easily and also password is often stored in plaintext in /etc/redis.conf.

Version-Release number of selected component (if applicable):
redis-3.0.6-3.fc24.x86_64

How reproducible:
every-time

Steps to Reproduce:
1. ls -l /etc/redis*
2. ls -ld /var/lib/redis*

Actual results:
-rw-r--r--. 1 redis root 41599 Feb  8  2016 /etc/redis.conf
-rw-r--r--. 1 redis root  7355 Feb  8  2016 /etc/redis-sentinel.conf
drwxr-xr-x. 2 redis redis 4096 Sep  9 14:29 /var/lib/redis

Expected results:
-rw-r-----. 1 redis root 41599 Feb  8  2016 /etc/redis.conf
-rw-r-----. 1 redis root  7355 Feb  8  2016 /etc/redis-sentinel.conf
drwx------. 2 redis redis 4096 Sep  9 14:29 /var/lib/redis

Comment 1 Remi Collet 2016-09-09 13:24:34 UTC

Probably same things for /var/log/redis

Comment 2 Remi Collet 2016-09-13 06:01:11 UTC

See http://pkgs.fedoraproject.org/cgit/rpms/redis.git?h=private-cleanup

Comment 3 Fedora End Of Life 2017-02-28 10:14:09 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 26 development cycle.
Changing version to '26'.

Comment 4 Nathan Scott 2017-07-21 05:30:00 UTC

This was resolved in the redis-3.2.3-2 build; marking as done.

Note You need to log in before you can comment on or make changes to this bug.