Bug 1678433 - Installer does not secure vsphere.conf
Summary: Installer does not secure vsphere.conf
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 3.11.0
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
: 3.11.z
Assignee: Scott Dodson
QA Contact: Liang Xia
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-02-18 18:29 UTC by tmlapp
Modified: 2019-05-03 13:08 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
The permissions on vsphere cloud configuration file have been restricted to prevent access from other users.
Clone Of:
Environment:
Last Closed: 2019-05-03 13:08:49 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0407 0 None None None 2019-03-14 02:18:01 UTC

Description tmlapp 2019-02-18 18:29:20 UTC 
Description of problem:
The openshift-ansible installer does not secure the vsphere.conf cloudprovider config file in the template task when installed.

Version-Release number of the following components:
rpm -q openshift-ansible:
openshift-ansible-3.11.51-2.git.0.51c90a3.el7.noarch

How reproducible:

Steps to Reproduce:
1. Install openshift-ansible
2. Configure vsphere cloudprovider
3. deploy openshift


Actual results:
vsphere.conf cloud provider config file is mode 0644

Expected results:
vsphere.conf should not be world readable as it contains user credentials to manipulate vsphere config.

Additional info:
This has been patched upstream
https://github.com/openshift/openshift-ansible/pull/11155

Please merge and backport.
Thanks.
Comment 1 Scott Dodson 2019-02-18 20:07:03 UTC 
Referenced PR has merged and is in openshift-ansible-3.11.84-1 and later.
Comment 3 Liang Xia 2019-02-25 06:59:12 UTC 
# oc version ; ls -lh /etc/origin/cloudprovider/vsphere.conf 

oc v3.11.85
kubernetes v1.11.0+d4cacc0
features: Basic-Auth GSSAPI Kerberos SPNEGO

-rw-rw----. 1 root root 272 Feb 15 06:14 /etc/origin/cloudprovider/vsphere.conf
Comment 5 Scott Dodson 2019-05-03 13:08:49 UTC 
openshift-ansible-3.11.92-1.git.0.f2fade7.el7 included this fix
Note You need to log in before you can comment on or make changes to this bug.