Hide Forgot
similar to: https://bugzilla.redhat.com/show_bug.cgi?id=766929 The installed /etc/katello/katello.yml file with database credentials appears to be world-readable: $ ls -alht /etc/katello/katello.yml -rw-r--r--. 1 root root 4.0K Dec 6 17:11 /etc/katello/katello.yml This permits any user with shell access on the box to obtain the credentials used to connect to Katello's database, which they could then use to connect and manipulate the database. Version-Release number of selected component (if applicable): katello-0.1.135-2.el6.x86_64 Expected results: Random users cannot read the database config. (It should probably be owned by the katello user with group/world having no privileges.)
Damn! Nice catch.
a0a05d7 766933 - katello.yml is world readable including db uname/password
c7ee187 766933 - katello.yml now deployed with correct perms
and what are the permissions (owner/group there) ?
ls /etc/katello/katello.yml -la -rw-------. 1 katello katello 4027 Dec 16 11:00 /etc/katello/katello.yml
[root@xcs ~]# ll /etc/katello/katello.yml -rw-------. 1 katello katello 4011 Dec 19 13:05 /etc/katello/katello.yml rpm -qav | grep -i "katello-0" katello-0.1.145-1.el6.noarch