Project

Profile

Help

Actions
Send by e-mail Copy link

Issue #3278

closed

Pulp Installation Docs does not recommend additional steps user should take to set up a secure Pulp server

Added by bizhang over 6 years ago. Updated about 5 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Quarter:

Description

This issue is the result of a unembargoed vulnerability disclosure. to pulp-security list The exploit is as follows:

1If mongo runs without authentication on localhost and /etc/pulp/server.conf is misconfigured to be readable by non apache users, said user can call
from pulp.server.db.connection import initialize; initialize()
and do whatever they want in the database (reset password, raise their pulp privilege level)

This was deemed to be a hardening issue. We should update our docs to recommend that users go through the mongo security checklist: https://docs.mongodb.com/manual/security/
And stress the importance of not touching the default permissions of /etc/pulp/server.conf

Related issues

Copied to Pulp - Story #3279: Pulp should check that /etc/pulp/server.conf has the correct permission on server startCLOSED - WONTFIX

Actions
Actions
Copy link
 #1

Updated by bizhang over 6 years ago

  • Copied to Story #3279: Pulp should check that /etc/pulp/server.conf has the correct permission on server start added
Actions
Copy link
 #2

Updated by dalley over 6 years ago

  • Triaged changed from No to Yes
Actions
Copy link
 #3

Updated by bmbouter about 5 years ago

  • Status changed from NEW to CLOSED - WONTFIX
Actions
Copy link
 #4

Updated by bmbouter about 5 years ago

  • Tags Pulp 2 added
Actions
Send by e-mail Copy link

Also available in: Atom PDF