Bug 1714153 - hosted-engine-setup cockpit working directory is world-readable
Summary: hosted-engine-setup cockpit working directory is world-readable
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: cockpit-ovirt
Classification: oVirt
Component: Hosted Engine
Version: 0.12.8
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-4.3.5
: 0.13.2
Assignee: Yedidyah Bar David
QA Contact: Wei Wang
URL:
Whiteboard:
Depends On:
Blocks: 1723322
TreeView+ depends on / blocked
 
Reported: 2019-05-27 09:15 UTC by Yedidyah Bar David
Modified: 2019-07-30 14:08 UTC (History)
11 users (show)

Fixed In Version: cockpit-ovirt-0.13.2
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 1723322 (view as bug list)
Environment:
The directory /var/lib/ovirt-hosted-engine-setup/cockpit is now created with read permissions only for user 'root'.
Last Closed: 2019-07-30 14:08:47 UTC
oVirt Team: Integration
Embargoed:
sbonazzo: ovirt-4.3?
sbonazzo: planning_ack?
sbonazzo: devel_ack+
weiwang: testing_ack+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
oVirt gerrit 100170 0 'None' 'MERGED' 'spec: Restrict access to /var/lib/ovirt-hosted-engine-setup/cockpit' 2019-12-09 04:37:48 UTC
oVirt gerrit 100178 0 'None' 'MERGED' 'spec: Restrict access to /var/lib/ovirt-hosted-engine-setup/cockpit' 2019-12-09 04:37:48 UTC

Description Yedidyah Bar David 2019-05-27 09:15:21 UTC 
The directory /var/lib/ovirt-hosted-engine-setup/cockpit should be readable only as needed, as it might contain sensitive information, even after we fix Bug 1703678.
Comment 1 Wei Wang 2019-05-28 01:09:22 UTC 
Test Version
rhvh-4.3.0.8-0.20190522.0
cockpit-system-193-1.el7.noarch
cockpit-ws-193-1.el7.x86_64
cockpit-dashboard-193-1.el7.x86_64
cockpit-193-1.el7.x86_64
cockpit-ovirt-dashboard-0.13.0-1.el7ev.noarch
cockpit-machines-ovirt-193-1.el7.noarch
cockpit-bridge-193-1.el7.x86_64
cockpit-storaged-193-1.el7.noarch
ovirt-hosted-engine-ha-2.3.1-1.el7ev.noarch
ovirt-hosted-engine-setup-2.3.8-1.el7ev.noarch


Test Steps:
[root@hp-dl388g9-04 ~]# ls -al /var/lib/ovirt-hosted-engine-setup/|grep cockpit
drwxr-xr-x.  2 root root 4096 May 14 19:09 cockpit

Result:
The directory /var/lib/ovirt-hosted-engine-setup/cockpit is not readable only.

QE can reproduce this issue , ACK+
Comment 2 Wei Wang 2019-06-17 03:09:28 UTC 
QE will verify it until getting new build.
Comment 3 Wei Wang 2019-06-21 06:16:05 UTC 
Test Version
RHVH-4.3-20190620.7-RHVH-x86_64-dvd1.iso
cockpit-system-195-1.el7.noarch
cockpit-195-1.el7.x86_64
cockpit-bridge-195-1.el7.x86_64
cockpit-ws-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-dashboard-195-1.el7.x86_64
cockpit-storaged-195-1.el7.noarch
cockpit-ovirt-dashboard-0.13.2-2.el7ev.noarch

Test Steps:
[root@hp-dlxxx-xx ~]# ls -al /var/lib/ovirt-hosted-engine-setup/|grep cockpit
drwxr-xr-x.  2 root root 4096 Jun 11 20:09 cockpit


Result:
The directory /var/lib/ovirt-hosted-engine-setup/cockpit is not readable only.

QE still can reproduce this issue , change back to "ASSIGNED"
Comment 5 Wei Wang 2019-06-26 05:41:39 UTC 
QE will verify it until getting the build with cockpit-ovirt-0.13.3
Comment 6 Wei Wang 2019-06-28 09:34:14 UTC 
Test Version
rhvh-4.3.5.1-0.20190626.0
cockpit-system-195-1.el7.noarch
cockpit-195-1.el7.x86_64
cockpit-dashboard-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-storaged-195-1.el7.noarch
cockpit-ovirt-dashboard-0.13.3-1.el7ev.noarch
cockpit-bridge-195-1.el7.x86_64
cockpit-ws-195-1.el7.x86_64


Test Steps:
According to comment 1

Result:
The directory /var/lib/ovirt-hosted-engine-setup/cockpit is readable only.
[root@hp-dlxxx-xx ~]# ls -al /var/lib/ovirt-hosted-engine-setup/|grep cockpit
drwx------.  2 root root 4096 Jun 28 16:08 cockpit


Bug is fixed, move to "VERIFIED"
Comment 7 Sandro Bonazzola 2019-07-30 14:08:47 UTC 
This bugzilla is included in oVirt 4.3.5 release, published on July 30th 2019.

Since the problem described in this bug report should be
resolved in oVirt 4.3.5 release, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.
Note You need to log in before you can comment on or make changes to this bug.