Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
First Last Prev Next    This bug is not in your last search results.
Bug 1540622 - logs are world-readable
logs are world-readable
Status: CLOSED CURRENTRELEASE
Product: ovirt-engine
Classification: oVirt
Component: Packaging.rpm (Show other bugs)
4.2.0
Unspecified Unspecified
medium Severity medium (vote)
: ovirt-4.2.2
: 4.2.2.2
Assigned To: Ido Rosenzwig
Jiri Belka
:
Depends On:
Blocks: 1542511
  Show dependency treegraph
 
Reported: 2018-01-31 09:36 EST by Yedidyah Bar David
Modified: 2018-03-29 07:17 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1540627 (view as bug list)
Environment:
Last Closed: 2018-03-29 07:17:23 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: Integration
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
rule-engine: ovirt‑4.2+
rule-engine: exception+
sbonazzo: devel_ack+

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
oVirt gerrit 87552 master MERGED spec: Change permissions for ovirt-engine logs directories 2018-02-14 07:40 EST
oVirt gerrit 87652 ovirt-engine-4.2 MERGED spec: Change permissions for ovirt-engine logs directories 2018-02-14 08:47 EST

  None (edit)
Description Yedidyah Bar David 2018-01-31 09:36:43 EST 
Description of problem:

/var/log/ovirt-engine, including everything underneath, is world-readable.

We protect sensitive information by filtering it out of these logs, but when we add new such information, sometimes a rather long time passes between adding it and someone noticing that it's not filtered out.

So we should make all these directories readable only as needed.

Didn't check what's the minimum that's working well - since we have there things written by user 'ovirt' and other things by user 'root', need to verify that if we change to ovirt:ovirt 0700, root is not prevented access (e.g. by selinux), or find some other solution.

Version-Release number of selected component (if applicable):

Forever.

How reproducible:

100%

Steps to Reproduce:
1. Setup engine
2. Add a host
3.

Actual results:

All logs are readable by every local user on the machine.

Expected results:

All relevant logs are readable (at most) by users ovirt and root.

Additional info:
Comment 1 Jiri Belka 2018-03-07 07:02:06 EST 
ok, ovirt-engine-setup-base-4.2.2.2-0.1.el7.noarch

both clean install and upgrade
Comment 2 Sandro Bonazzola 2018-03-29 07:17:23 EDT 
This bugzilla is included in oVirt 4.2.2 release, published on March 28th 2018.

Since the problem described in this bug report should be
resolved in oVirt 4.2.2 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.