Description of problem: The installed /usr/share/aeolus-conductor/config/database.yml file with database credentials appears to be world-readable: $ ls -lh /etc/aeolus-conductor/database.yml lrwxrwxrwx. 1 root root 47 Dec 7 14:28 /etc/aeolus-conductor/database.yml -> /usr/share/aeolus-conductor/config/database.yml $ ls -lh /usr/share/aeolus-conductor/config/database.yml -rw-r--r--. 1 root root 1.7K Dec 7 14:27 /usr/share/aeolus-conductor/config/database.yml This permits any user with shell access on the box to obtain the credentials used to connect to Conductor's database, which they could then use to connect and manipulate the database. Version-Release number of selected component (if applicable): Probably all, but specifically aeolus-conductor-0.8.0-0.20111207192649gitacd1159.fc15.noarch Expected results: Random users cannot read the database config. (It should probably be owned by the aeolus user with group/world having no privileges.)
commit 70ed177dd3acd05a818c30ad157ba391f9197082 Author: John Eckersberg <jeckersb> Date: Wed Dec 21 16:47:06 2011 -0500 BZ#766929 - database.yml is world-readable https://bugzilla.redhat.com/show_bug.cgi?id=766929
adding ce-sprint-next bugs to ce-sprint
commit b068c7d61039aedb387e22ec7ad3149524b611f9 on conductor 0.8.x branch
bugs in verified or on_qa moving off tracker
database.yml is now owned by aeolus user. # ls -lh /usr/share/aeolus-conductor/config/database.yml -rw-r-----. 1 root aeolus 1.7K Jan 16 12:59 /usr/share/aeolus-conductor/config/database.yml #rpm -qa | grep aeolus aeolus-conductor-doc-0.8.0-7.el6.noarch rubygem-aeolus-image-0.3.0-2.el6.noarch rubygem-aeolus-cli-0.3.0-3.el6.noarch aeolus-all-0.8.0-7.el6.noarch aeolus-conductor-0.8.0-7.el6.noarch aeolus-configure-2.5.0-4.el6.noarch aeolus-conductor-daemons-0.8.0-7.el6.noarch