Bug 806469 – stickshift-node.conf should only contain relevant information

Bug 806469 - stickshift-node.conf should only contain relevant information

Summary:	stickshift-node.conf should only contain relevant information

Status:	CLOSED WONTFIX

Aliases:	None

Product:	OpenShift Origin
Classification:	Red Hat
Component:	Containers (Show other bugs)
Sub Component:
Version:	2.x
Hardware:	Unspecified Unspecified

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Krishna Raman
QA Contact:	libra bugs
Docs Contact:

URL:
Whiteboard:
Keywords:	Security, Triaged

Depends On:
Blocks:	767033
	Show dependency tree / graph

Reported:	2012-03-23 16:51 EDT by Thomas Wiest
Modified:	2015-05-14 18:52 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2012-06-13 17:13:28 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Thomas Wiest 2012-03-23 16:51:56 EDT

Description of problem:
In the last release, because of changes in how cartridges work, /etc/stickshift/stickshift-node.conf was opened up so that users could read settings from it.

This file should only contain information that the cartridges will need. All other information should be switched to a file that users cannot read.

Before this release, this file was not readable by users / gears.


Version-Release number of selected component (if applicable):
rhc-node-0.88.12-1.el6_2.x86_64


How reproducible:
very


Steps to Reproduce:
1. Open /etc/stickshift/stickshift-node.conf
2. Notice that it's readable by everyone
3. Notice that it contains more information that users don't need to see


Actual results:
The file is readable by everyone and contains information that users don't need to see.


Expected results:
It should only contain information that the users / gears need to see, and nothing more.

Comment 1 Rob Millner 2012-03-26 22:26:48 EDT

Is any information in that file a security issue if the gears can see it?

Comment 2 Thomas Wiest 2012-06-02 00:12:18 EDT

Mike, Tim, Dan, Krishna and I discussed this and it was determined that even if the information wasn't immediately dangerous for gears to see, this should still be moved out because:

1) the principle of least privilege (why show users data that they don't need to see, that may be exploitable either now or in the future)
2) since the file used to be private, developers may add sensitive information to the file in the future without knowing the implications.

Mike or Tim can probably give more reasons.

Comment 3 Jhon Honce 2012-06-11 14:21:23 EDT

Please review 
https://rally1.rallydev.com/#/4670516379d/detail/userstory/6693533935 to ensure the sensitive information in question is being secured.

Comment 4 Jhon Honce 2012-06-13 17:13:28 EDT

Cartridges are using too many variables to make this change worth while.

User story deleted.

Note You need to log in before you can comment on or make changes to this bug.