Hide Forgot
Description of problem: config/settings.yml is readable by all - this file contains also oauth secret tokens for communication with warehouse and imagefactory -> it should be readdable only by owner/group. -rw-r--r--. 1 root root 674 Jan 4 17:01 /usr/share/aeolus-conductor/config/settings.yml
adding to ce-sprint-next
adding to ce-sprint
removing ce-sprint-next tracker
taking off ce-sprint-next..
This seems to have been fixed already. If you have an old rpm install, you won't see the fix, though, since the prior config file won't be overwritten. If you remove that file and install a new RPM, you should get proper permissions: -rw-r----- 1 root aeolus 631 Jan 17 17:34 /usr/share/aeolus-conductor/config/settings.yml
This issue is reproducible.The permissions are not proper. #ls -lhtr /usr/share/aeolus-conductor/config/settings.yml -rw-r--r--. 1 root root 674 Jan 18 23:06 /usr/share/aeolus-conductor/config/settings.yml # rpm -qa | grep aeolus aeolus-conductor-0.8.0-8.el6.noarch rubygem-aeolus-cli-0.3.0-4.el6.noarch aeolus-configure-2.5.0-5.el6.noarch aeolus-conductor-daemons-0.8.0-8.el6.noarch rubygem-aeolus-image-0.3.0-3.el6.noarch aeolus-all-0.8.0-8.el6.noarch aeolus-conductor-doc-0.8.0-8.el6.noarch
OK, now I see the problem. aeolus-configure overwrites this file, and it's probably getting the permissions wrong: in recipes/aeolus/manifests/conductor.pp: file{"/usr/share/aeolus-conductor/config/settings.yml": content => template("aeolus/conductor-settings.yml"), require => Package['aeolus-conductor']} so the puppet manifest here needs to set the file perms to 640 and ownership to root:aeolus
OK, I have acked and pushed Mo's patch for this. Note that we decided it didnt make sense to change _existing_ file permissions, so if the admin (or previous configure) changed this to the wrong thing, it will stay that way. To properly test, either use a fresh install, or delete the file in question and reinstall/rerun configure. commit 3e5dc4b7998556a8a3fbbba84e5ae7f63d12ba80 Author: Mo Morsi <mmorsi> Date: Wed Jan 25 16:39:43 2012 -0500 BZ# 771922: set owner, group, mode on conductor settings file
3e5dc4b in aeolus-configure-2.5.0-11
Permissions set correctly. # ls -lhtr /usr/share/aeolus-conductor/config/settings.yml -rw-r-----. 1 root aeolus 674 Jan 31 23:25 /usr/share/aeolus-conductor/config/settings.yml conductor.pp: file{"/usr/share/aeolus-conductor/config/settings.yml": content => template("aeolus/conductor-settings.yml"), require => Package['aeolus-conductor'], mode => 640, owner => 'root', group => 'aeolus'} verified on: rpm -qa | grep aeolus aeolus-conductor-0.8.0-17.el6.noarch rubygem-aeolus-cli-0.3.0-7.el6.noarch aeolus-configure-2.5.0-11.el6.noarch aeolus-conductor-daemons-0.8.0-17.el6.noarch aeolus-all-0.8.0-17.el6.noarch aeolus-conductor-doc-0.8.0-17.el6.noarch rubygem-aeolus-image-0.3.0-7.el6.noarch
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2012-0586.html