Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 621549 - /etc/abrt/plugins/<plugin>.conf should have 0600 permissions when they (possibly) contain password
/etc/abrt/plugins/<plugin>.conf should have 0600 permissions when they (possi...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: abrt (Show other bugs)
6.0
All Linux
high Severity high
: rc
: ---
Assigned To: Jiri Moskovcak
BaseOS QE - Apps
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-08-05 09:12 EDT by Michal Nowak
Modified: 2015-02-01 17:52 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-08-05 10:18:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Nowak 2010-08-05 09:12:04 EDT
Description of problem:

/etc/abrt/plugins/RHTSupport.conf should be readable only by it's owner because it may contain password to GSS portal. (It's done this way for Bugzilla.conf.)

Similar for following conf files:

newman@dhcp-lab-222 ~ $ sudo grep -i pass -n /etc/abrt/plugins/*
/etc/abrt/plugins/Bugzilla.conf:9:# your password
/etc/abrt/plugins/Bugzilla.conf:10:Password =

/etc/abrt/plugins/FileTransfer.conf:23:# for example: ftp://user:password@server.name/directory
/etc/abrt/plugins/FileTransfer.conf:24:# or:          scp://user:password@server.name:port/directory etc.

/etc/abrt/plugins/ReportUploader.conf:12:# for example: ftp://user:password@server.name/directory
/etc/abrt/plugins/ReportUploader.conf:13:# or:          scp://user:password@server.name:port/directory etc.

/etc/abrt/plugins/RHTSupport.conf:8:# Your password
/etc/abrt/plugins/RHTSupport.conf:9:Password = redhat


Version-Release number of selected component (if applicable):

abrt-1.1.12-2.el6.x86_64
Comment 1 Jiri Moskovcak 2010-08-05 09:36:09 EDT
Hi,
I don't agree with this, actually even Bugzilla.conf should be readable, as the settings from that file are meant to be used as "defaults" and are passed to the clients (gui/cli) anyway, so making it not readable doesn't make sense...

J.
Comment 2 Michal Nowak 2010-08-05 09:47:51 EDT
Why would anyone put password to world-readable file? GUI and CLI may ask daemon for the defaults.
Comment 3 Jiri Moskovcak 2010-08-05 09:59:36 EDT
(In reply to comment #2)
> GUI and CLI may ask daemon for the defaults.    

Yes, that's what happen, daemon tells the password to gui/cli which means it's passed to the non-root app, so what's the point of making it not-readable, when user can read it in gui/cli anyway? These files are not meant to be used for secrets, they just *can be* if root want's to set the password somewhere save he can use $HOME/.abrt/<plugin_name>.conf, but imagine a situation where you want all user to use the same account for submitting a bugs ...

J.
Comment 4 Jiri Moskovcak 2010-08-05 10:18:40 EDT
I asked the DOC guys to mention this "feature" in the deployment guide:

https://bugzilla.redhat.com/show_bug.cgi?id=561658#c43

and closing this as NOTABUG.
J.

Note You need to log in before you can comment on or make changes to this bug.