Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1431555

Summary: Some config files are writable by user ovirt
Product: [oVirt] ovirt-engine Reporter: Yedidyah Bar David <didi>
Component: Setup.EngineAssignee: Ido Rosenzwig <irosenzw>
Status: CLOSED CURRENTRELEASE QA Contact: David Necpal <dnecpal>
Severity: low Docs Contact:
Priority: medium    
Version: 4.1.0CC: bugs, ylavi
Target Milestone: ovirt-4.2.0Flags: rule-engine: ovirt-4.2+
Target Release: 4.2.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-12-20 10:49:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Integration RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yedidyah Bar David 2017-03-13 09:23:27 UTC 
Description of problem:

# ls -l /etc/ovirt-engine/engine.conf.d/
total 52
-rw-------. 1 ovirt ovirt 356 Feb 21 12:29 10-setup-database.conf
-rw-------. 1 ovirt ovirt 356 Nov  8 14:50 10-setup-database.conf.orig1
-rw-------. 1 ovirt ovirt 371 Feb 21 12:29 10-setup-dwh-database.conf
-rw-r--r--. 1 root  root   75 Mar  8 15:32 10-setup-java.conf
-rw-r--r--. 1 root  root   45 Feb 21 12:29 10-setup-jboss.conf
-rw-------. 1 ovirt ovirt 516 Feb 21 12:30 10-setup-pki.conf
-rw-r--r--. 1 root  root  255 Feb 21 12:29 10-setup-protocols.conf
-rw-------. 1 ovirt ovirt 401 Feb 21 12:30 11-setup-sso.conf
-rw-r--r--. 1 root  root   99 Feb 20 22:30 20-setup-jboss-overlay.conf
-rw-r--r--. 1 root  root  102 Feb  9 12:26 50-ovirt-engine-extension-aaa-jdbc.conf
-rw-r--r--. 1 root  root  108 Feb 20 16:21 50-ovirt-web-ui.conf
-rw-r--r--. 1 root  root   27 Feb  9 12:12 debug.conf
-rw-r--r--. 1 root  root  204 Feb 20 22:30 README

Files that should be protected (e.g. because they contain passwords), should be owned by root:ovirt with perms 0640 (or 0440). Currently they are writable by user ovirt, so a bug in any process running as ovirt (including the engine and dwhd can corrupt them.

We should open a similar bug on dwhd and perhaps others.

Once solved, we should add an automated test somewhere (ovirt-system-tests?) that verifies that no such files "happen" anymore.
Comment 1 David Necpal 2017-09-04 10:04:03 UTC 
Verified on version:
ovirt-engine-4.2.0-0.0.master.20170828065003.git0619c76.el7.centos.noarch

# ls -l /etc/ovirt-engine/engine.conf.d/
total 48
-rw-r-----. 1 root  ovirt 356 Aug 30 14:53 10-setup-database.conf
-rw-------. 1 ovirt ovirt 371 Aug 30 14:54 10-setup-dwh-database.conf
-rw-r--r--. 1 root  root   48 Aug 30 14:53 10-setup-java.conf
-rw-r--r--. 1 root  root   45 Aug 30 14:53 10-setup-jboss.conf
-rw-r-----. 1 root  ovirt 516 Aug 30 14:54 10-setup-pki.conf
-rw-r--r--. 1 root  root  271 Aug 30 14:53 10-setup-protocols.conf
-rw-r-----. 1 root  ovirt 406 Aug 30 14:54 11-setup-sso.conf
-rw-r--r--. 1 root  root   99 Aug 28 10:10 20-setup-jboss-overlay.conf
-rw-r--r--. 1 root  root  102 Jul 12 17:44 50-ovirt-engine-extension-aaa-jdbc.conf
-rw-r--r--. 1 root  root  102 Aug 28 13:22 50-ovirt-engine-extension-aaa-ldap.conf
-rw-r--r--. 1 root  root  108 Jan  3  2017 50-ovirt-web-ui.conf
-rw-r--r--. 1 root  root  204 Aug 28 10:10 README
Comment 2 Sandro Bonazzola 2017-12-20 10:49:38 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.