A permissions flaw was found in redis, which sets weak permissions on certain files and directories that could potentially contain sensitive information. A local, unprivileged user could possibly use this flaw to access unauthorized system information.
It was found that redis set weak permissions on certain files that could potentially contain sensitive information:
-rw-r--r--. 1 redis root 41599 Feb 8 2016 /etc/redis.conf
-rw-r--r--. 1 redis root 7355 Feb 8 2016 /etc/redis-sentinel.conf
drwxr-xr-x. 2 redis redis 4096 Sep 9 14:29 /var/lib/redis
This issue was originally reported in bug 1374700.
What's the recommended update? 640/750 ? Typically, things in /etc are world-readable?
(In reply to Lon Hohberger from comment #3)
> What's the recommended update? 640/750 ? Typically, things in /etc are
I think 640 on the two files that contain passwords (redis.conf, redis-sentinel.conf) like is already done in the newer builds should be fine.
Name: Honza Horak (Red Hat), Remi Collet (Red Hat)
This issue has been addressed in the following products:
Red Hat OpenStack Platform 10.0 (Newton)
Via RHSA-2017:3226 https://access.redhat.com/errata/RHSA-2017:3226