Bug 1723322 - [downstream clone - 4.3.5] hosted-engine-setup cockpit working directory is world-readable
Summary: [downstream clone - 4.3.5] hosted-engine-setup cockpit working directory is w...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: cockpit-ovirt
Version: unspecified
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-4.3.5
: 4.3.5
Assignee: Yedidyah Bar David
QA Contact: Wei Wang
URL:
Whiteboard:
Depends On: 1714153
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-06-24 09:48 UTC by RHV bug bot
Modified: 2022-07-09 14:35 UTC (History)
14 users (show)

Fixed In Version: cockpit-ovirt-0.13.3
Doc Type: Bug Fix
Doc Text:
In this release, the directory /var/lib/ovirt-hosted-engine-setup/cockpit is created with read permissions only for user 'root'. Non 'root' users cannot view this directory.
Clone Of: 1714153
Environment:
Last Closed: 2019-08-12 11:53:51 UTC
oVirt Team: Integration
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker RHV-47458 0 None None None 2022-07-09 14:35:35 UTC
Red Hat Product Errata RHSA-2019:2433 0 None None None 2019-08-12 11:54:01 UTC
oVirt gerrit 100170 0 'None' 'MERGED' 'spec: Restrict access to /var/lib/ovirt-hosted-engine-setup/cockpit' 2019-12-09 04:37:11 UTC
oVirt gerrit 100178 0 'None' 'MERGED' 'spec: Restrict access to /var/lib/ovirt-hosted-engine-setup/cockpit' 2019-12-09 04:37:11 UTC

Description RHV bug bot 2019-06-24 09:48:00 UTC 
+++ This bug is an upstream to downstream clone. The original bug is: +++
+++   bug 1714153 +++
======================================================================

The directory /var/lib/ovirt-hosted-engine-setup/cockpit should be readable only as needed, as it might contain sensitive information, even after we fix Bug 1703678.

(Originally by didi)
Comment 1 RHV bug bot 2019-06-24 09:48:04 UTC 
Test Version
rhvh-4.3.0.8-0.20190522.0
cockpit-system-193-1.el7.noarch
cockpit-ws-193-1.el7.x86_64
cockpit-dashboard-193-1.el7.x86_64
cockpit-193-1.el7.x86_64
cockpit-ovirt-dashboard-0.13.0-1.el7ev.noarch
cockpit-machines-ovirt-193-1.el7.noarch
cockpit-bridge-193-1.el7.x86_64
cockpit-storaged-193-1.el7.noarch
ovirt-hosted-engine-ha-2.3.1-1.el7ev.noarch
ovirt-hosted-engine-setup-2.3.8-1.el7ev.noarch


Test Steps:
[root@hp-dl388g9-04 ~]# ls -al /var/lib/ovirt-hosted-engine-setup/|grep cockpit
drwxr-xr-x.  2 root root 4096 May 14 19:09 cockpit

Result:
The directory /var/lib/ovirt-hosted-engine-setup/cockpit is not readable only.

QE can reproduce this issue , ACK+

(Originally by Wei Wang)
Comment 2 RHV bug bot 2019-06-24 09:48:06 UTC 
QE will verify it until getting new build.

(Originally by Wei Wang)
Comment 3 RHV bug bot 2019-06-24 09:48:08 UTC 
Test Version
RHVH-4.3-20190620.7-RHVH-x86_64-dvd1.iso
cockpit-system-195-1.el7.noarch
cockpit-195-1.el7.x86_64
cockpit-bridge-195-1.el7.x86_64
cockpit-ws-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-dashboard-195-1.el7.x86_64
cockpit-storaged-195-1.el7.noarch
cockpit-ovirt-dashboard-0.13.2-2.el7ev.noarch

Test Steps:
[root@hp-dlxxx-xx ~]# ls -al /var/lib/ovirt-hosted-engine-setup/|grep cockpit
drwxr-xr-x.  2 root root 4096 Jun 11 20:09 cockpit


Result:
The directory /var/lib/ovirt-hosted-engine-setup/cockpit is not readable only.

QE still can reproduce this issue , change back to "ASSIGNED"

(Originally by Wei Wang)
Comment 6 Wei Wang 2019-06-26 05:34:54 UTC 
QE will verify it until getting the build with cockpit-ovirt-0.13.3
Comment 7 Wei Wang 2019-06-28 09:32:43 UTC 
Test Version
rhvh-4.3.5.1-0.20190626.0
cockpit-system-195-1.el7.noarch
cockpit-195-1.el7.x86_64
cockpit-dashboard-195-1.el7.x86_64
cockpit-machines-ovirt-195-1.el7.noarch
cockpit-storaged-195-1.el7.noarch
cockpit-ovirt-dashboard-0.13.3-1.el7ev.noarch
cockpit-bridge-195-1.el7.x86_64
cockpit-ws-195-1.el7.x86_64


Test Steps:
According to comment 0

Result:
The directory /var/lib/ovirt-hosted-engine-setup/cockpit is readable only.
[root@hp-dlxxx-xx ~]# ls -al /var/lib/ovirt-hosted-engine-setup/|grep cockpit
drwx------.  2 root root 4096 Jun 28 16:08 cockpit


Bug is fixed, move to "VERIFIED"
Comment 11 errata-xmlrpc 2019-08-12 11:53:51 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:2433
Note You need to log in before you can comment on or make changes to this bug.