1374717 – Suspicious permissions for configs and data

Bug 1374717 - Suspicious permissions for configs and data

Summary: Suspicious permissions for configs and data

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Software Collections
Classification:	Red Hat
Component:	redis
Sub Component:
Version:	rh-redis32
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	2.3
Assignee:	Remi Collet
QA Contact:	Jakub Prokes
Docs Contact:
URL:
Whiteboard:
Depends On:	1374700
Blocks:	1374713 CVE-2016-2121
TreeView+	depends on / blocked

Reported:	2016-09-09 13:08 UTC by Honza Horak
Modified:	2016-11-15 10:16 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1374700
Environment:
Last Closed:	2016-11-15 10:16:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2016:2745	0	normal	SHIPPED_LIVE	new packages: rh-redis32	2016-11-15 14:57:04 UTC

Description Honza Horak 2016-09-09 13:08:56 UTC

I haven't checked but I suspect it will be similar in SCL.

+++ This bug was initially created as a clone of Bug #1374700 +++

Description of problem:
Config and datadir of redis have suspiciously weak permissions. It seems an attacker would be able to read data content easily and also password is often stored in plaintext in /etc/redis.conf.

Version-Release number of selected component (if applicable):
redis-3.0.6-3.fc24.x86_64

How reproducible:
every-time

Steps to Reproduce:
1. ls -l /etc/redis*
2. ls -ld /var/lib/redis*

Actual results:
-rw-r--r--. 1 redis root 41599 Feb  8  2016 /etc/redis.conf
-rw-r--r--. 1 redis root  7355 Feb  8  2016 /etc/redis-sentinel.conf
drwxr-xr-x. 2 redis redis 4096 Sep  9 14:29 /var/lib/redis

Expected results:
-rw-r-----. 1 redis root 41599 Feb  8  2016 /etc/redis.conf
-rw-r-----. 1 redis root  7355 Feb  8  2016 /etc/redis-sentinel.conf
drwx------. 2 redis redis 4096 Sep  9 14:29 /var/lib/redis

Comment 7 errata-xmlrpc 2016-11-15 10:16:21 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2016-2745.html

Note You need to log in before you can comment on or make changes to this bug.