Bug 766929 - database.yml is world-readable
Summary: database.yml is world-readable
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: CloudForms Cloud Engine
Classification: Retired
Component: aeolus-conductor
Version: 1.0.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
Assignee: John Eckersberg
QA Contact: wes hayutin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-12-12 19:52 UTC by Matt Wagner
Modified: 2014-08-17 22:27 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Matt Wagner 2011-12-12 19:52:29 UTC
Description of problem:
The installed /usr/share/aeolus-conductor/config/database.yml file with database credentials appears to be world-readable:

 $ ls -lh /etc/aeolus-conductor/database.yml 
lrwxrwxrwx. 1 root root 47 Dec  7 14:28 /etc/aeolus-conductor/database.yml -> /usr/share/aeolus-conductor/config/database.yml

$ ls -lh /usr/share/aeolus-conductor/config/database.yml
-rw-r--r--. 1 root root 1.7K Dec  7 14:27 /usr/share/aeolus-conductor/config/database.yml

This permits any user with shell access on the box to obtain the credentials used to connect to Conductor's database, which they could then use to connect and manipulate the database.

Version-Release number of selected component (if applicable):
Probably all, but specifically aeolus-conductor-0.8.0-0.20111207192649gitacd1159.fc15.noarch


Expected results:
Random users cannot read the database config. (It should probably be owned by the aeolus user with group/world having no privileges.)

Comment 1 John Eckersberg 2011-12-21 22:18:21 UTC
commit 70ed177dd3acd05a818c30ad157ba391f9197082
Author: John Eckersberg <jeckersb@redhat.com>
Date:   Wed Dec 21 16:47:06 2011 -0500

    BZ#766929 - database.yml is world-readable
    
    https://bugzilla.redhat.com/show_bug.cgi?id=766929

Comment 2 wes hayutin 2012-01-03 17:41:45 UTC
adding ce-sprint-next bugs to ce-sprint

Comment 3 Steve Linabery 2012-01-10 21:16:36 UTC
commit b068c7d61039aedb387e22ec7ad3149524b611f9 on conductor 0.8.x branch

Comment 4 wes hayutin 2012-01-12 16:17:04 UTC
bugs in verified or on_qa moving off tracker

Comment 5 Aziza Karol 2012-01-18 12:44:43 UTC
database.yml is now owned by aeolus user.

# ls -lh /usr/share/aeolus-conductor/config/database.yml
-rw-r-----. 1 root aeolus 1.7K Jan 16 12:59 /usr/share/aeolus-conductor/config/database.yml

#rpm -qa | grep aeolus
aeolus-conductor-doc-0.8.0-7.el6.noarch
rubygem-aeolus-image-0.3.0-2.el6.noarch
rubygem-aeolus-cli-0.3.0-3.el6.noarch
aeolus-all-0.8.0-7.el6.noarch
aeolus-conductor-0.8.0-7.el6.noarch
aeolus-configure-2.5.0-4.el6.noarch
aeolus-conductor-daemons-0.8.0-7.el6.noarch


Note You need to log in before you can comment on or make changes to this bug.