Bug 1540622 - logs are world-readable
Summary: logs are world-readable
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: Packaging.rpm
Version: 4.2.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ovirt-4.2.2
: 4.2.2.2
Assignee: Ido Rosenzwig
QA Contact: Jiri Belka
URL:
Whiteboard:
Depends On:
Blocks: 1542511
TreeView+ depends on / blocked
 
Reported: 2018-01-31 14:36 UTC by Yedidyah Bar David
Modified: 2018-03-29 11:17 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
: 1540627 (view as bug list)
Environment:
Last Closed: 2018-03-29 11:17:23 UTC
oVirt Team: Integration
Embargoed:
rule-engine: ovirt-4.2+
rule-engine: exception+
sbonazzo: devel_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1540261 0 unspecified CLOSED metrics host deployment playbooks logs private key 2021-02-22 00:41:40 UTC
oVirt gerrit 87552 0 master MERGED spec: Change permissions for ovirt-engine logs directories 2018-02-14 12:40:15 UTC
oVirt gerrit 87652 0 ovirt-engine-4.2 MERGED spec: Change permissions for ovirt-engine logs directories 2018-02-14 13:47:48 UTC

Internal Links: 1540261

Description Yedidyah Bar David 2018-01-31 14:36:43 UTC 
Description of problem:

/var/log/ovirt-engine, including everything underneath, is world-readable.

We protect sensitive information by filtering it out of these logs, but when we add new such information, sometimes a rather long time passes between adding it and someone noticing that it's not filtered out.

So we should make all these directories readable only as needed.

Didn't check what's the minimum that's working well - since we have there things written by user 'ovirt' and other things by user 'root', need to verify that if we change to ovirt:ovirt 0700, root is not prevented access (e.g. by selinux), or find some other solution.

Version-Release number of selected component (if applicable):

Forever.

How reproducible:

100%

Steps to Reproduce:
1. Setup engine
2. Add a host
3.

Actual results:

All logs are readable by every local user on the machine.

Expected results:

All relevant logs are readable (at most) by users ovirt and root.

Additional info:
Comment 1 Jiri Belka 2018-03-07 12:02:06 UTC 
ok, ovirt-engine-setup-base-4.2.2.2-0.1.el7.noarch

both clean install and upgrade
Comment 2 Sandro Bonazzola 2018-03-29 11:17:23 UTC 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.