Actions
Issue #3278
closedPulp Installation Docs does not recommend additional steps user should take to set up a secure Pulp server
Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Quarter:
Description
This issue is the result of a unembargoed vulnerability disclosure. to pulp-security list The exploit is as follows:
1If mongo runs without authentication on localhost and /etc/pulp/server.conf is misconfigured to be readable by non apache users, said user can call
from pulp.server.db.connection import initialize; initialize()
and do whatever they want in the database (reset password, raise their pulp privilege level)
This was deemed to be a hardening issue. We should update our docs to recommend that users go through the mongo security checklist: https://docs.mongodb.com/manual/security/
And stress the importance of not touching the default permissions of /etc/pulp/server.conf
Related issues
Updated by bizhang over 6 years ago
- Copied to Story #3279: Pulp should check that /etc/pulp/server.conf has the correct permission on server start added
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Actions