Bug 1431555 - Some config files are writable by user ovirt
Summary: Some config files are writable by user ovirt
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Setup.Engine
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ovirt-4.2.0
: 4.2.0
Assignee: Ido Rosenzwig
QA Contact: David Necpal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-03-13 09:23 UTC by Yedidyah Bar David
Modified: 2017-12-20 10:49 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2017-12-20 10:49:38 UTC
oVirt Team: Integration
Embargoed:
rule-engine: ovirt-4.2+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 77483 0 master MERGED packaging: setup: change preset ownership to root 2017-06-07 16:20:35 UTC

Description Yedidyah Bar David 2017-03-13 09:23:27 UTC 
Description of problem:

# ls -l /etc/ovirt-engine/engine.conf.d/
total 52
-rw-------. 1 ovirt ovirt 356 Feb 21 12:29 10-setup-database.conf
-rw-------. 1 ovirt ovirt 356 Nov  8 14:50 10-setup-database.conf.orig1
-rw-------. 1 ovirt ovirt 371 Feb 21 12:29 10-setup-dwh-database.conf
-rw-r--r--. 1 root  root   75 Mar  8 15:32 10-setup-java.conf
-rw-r--r--. 1 root  root   45 Feb 21 12:29 10-setup-jboss.conf
-rw-------. 1 ovirt ovirt 516 Feb 21 12:30 10-setup-pki.conf
-rw-r--r--. 1 root  root  255 Feb 21 12:29 10-setup-protocols.conf
-rw-------. 1 ovirt ovirt 401 Feb 21 12:30 11-setup-sso.conf
-rw-r--r--. 1 root  root   99 Feb 20 22:30 20-setup-jboss-overlay.conf
-rw-r--r--. 1 root  root  102 Feb  9 12:26 50-ovirt-engine-extension-aaa-jdbc.conf
-rw-r--r--. 1 root  root  108 Feb 20 16:21 50-ovirt-web-ui.conf
-rw-r--r--. 1 root  root   27 Feb  9 12:12 debug.conf
-rw-r--r--. 1 root  root  204 Feb 20 22:30 README

Files that should be protected (e.g. because they contain passwords), should be owned by root:ovirt with perms 0640 (or 0440). Currently they are writable by user ovirt, so a bug in any process running as ovirt (including the engine and dwhd can corrupt them.

We should open a similar bug on dwhd and perhaps others.

Once solved, we should add an automated test somewhere (ovirt-system-tests?) that verifies that no such files "happen" anymore.
Comment 1 David Necpal 2017-09-04 10:04:03 UTC 
Verified on version:
ovirt-engine-4.2.0-0.0.master.20170828065003.git0619c76.el7.centos.noarch

# ls -l /etc/ovirt-engine/engine.conf.d/
total 48
-rw-r-----. 1 root  ovirt 356 Aug 30 14:53 10-setup-database.conf
-rw-------. 1 ovirt ovirt 371 Aug 30 14:54 10-setup-dwh-database.conf
-rw-r--r--. 1 root  root   48 Aug 30 14:53 10-setup-java.conf
-rw-r--r--. 1 root  root   45 Aug 30 14:53 10-setup-jboss.conf
-rw-r-----. 1 root  ovirt 516 Aug 30 14:54 10-setup-pki.conf
-rw-r--r--. 1 root  root  271 Aug 30 14:53 10-setup-protocols.conf
-rw-r-----. 1 root  ovirt 406 Aug 30 14:54 11-setup-sso.conf
-rw-r--r--. 1 root  root   99 Aug 28 10:10 20-setup-jboss-overlay.conf
-rw-r--r--. 1 root  root  102 Jul 12 17:44 50-ovirt-engine-extension-aaa-jdbc.conf
-rw-r--r--. 1 root  root  102 Aug 28 13:22 50-ovirt-engine-extension-aaa-ldap.conf
-rw-r--r--. 1 root  root  108 Jan  3  2017 50-ovirt-web-ui.conf
-rw-r--r--. 1 root  root  204 Aug 28 10:10 README
Comment 2 Sandro Bonazzola 2017-12-20 10:49:38 UTC 
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.