Bug 962772 - User should not have permission to read the config file under /etc/openshift/
User should not have permission to read the config file under /etc/openshift/
Product: OpenShift Container Platform
Classification: Red Hat
Component: Pod (Show other bugs)
Unspecified Unspecified
low Severity low
: ---
: ---
Assigned To: Brenton Leanhardt
libra bugs
Depends On:
  Show dependency treegraph
Reported: 2013-05-14 08:25 EDT by xjia
Modified: 2015-07-19 20:52 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-07-11 10:43:45 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description xjia 2013-05-14 08:25:48 EDT
Description of problem:
After user create app, ssh into this app. User should not have permission to read /etc/openshift/*.conf 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create an app, then ssh into this app.
2. ls -l /etc/openshift/*

Actual results:
[phpjia-jia.newosetestv2.com 5190966373f2d32c2e000144]\> ls -l /etc/openshift/*
-rw-r--r--. 1 root root 2750 May  7 08:41 /etc/openshift/node.conf
-rw-r--r--. 1 root root 7367 May 14 05:21 /etc/openshift/port-proxy.cfg
-rw-r--r--. 1 root root 7367 May 14 04:37 /etc/openshift/port-proxy.cfg.bak
-rw-r--r--. 1 root root 2449 May 10 10:57 /etc/openshift/resource_limits.conf
-rw-r-----. 1 root root 4355 Apr 29 08:02 /etc/openshift/web-proxy-config.json

total 4
drwxr-xr-x. 2 root root 4096 May 13 21:58 v2

total 20
-rw-r--r--. 1 root root 24 May  9 22:21 OPENSHIFT_BROKER_HOST
-rw-r--r--. 1 root root 42 May 13 16:41 OPENSHIFT_CARTRIDGE_SDK_BASH
-rw-r--r--. 1 root root 45 May 13 16:41 OPENSHIFT_CARTRIDGE_SDK_RUBY
-rw-r--r--. 1 root root 17 May  9 22:22 OPENSHIFT_CLOUD_DOMAIN
-rw-r--r--. 1 root root 24 May 13 16:41 PATH

Expected results:
Should not have permission to read any *.conf or *.cfg

Additional info:
Comment 1 Brenton Leanhardt 2013-05-14 08:44:08 EDT
We'll plan to triage this today though I'm not sure if there is a reason to prevent this on the node.  It's intended for no sensitive information to be stored in these configuration files.

This is one of the main reasons we wouldn't want Brokers and Nodes to be installed on the same machine since all of the sensitive settings should be on the Broker.

Note You need to log in before you can comment on or make changes to this bug.