Project

Profile

Help

Issue #3278

closed

Pulp Installation Docs does not recommend additional steps user should take to set up a secure Pulp server

Added by bizhang over 4 years ago. Updated about 3 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Quarter:

Description

This issue is the result of a unembargoed vulnerability disclosure. to pulp-security list The exploit is as follows:

1If mongo runs without authentication on localhost and /etc/pulp/server.conf is misconfigured to be readable by non apache users, said user can call
from pulp.server.db.connection import initialize; initialize()
and do whatever they want in the database (reset password, raise their pulp privilege level)

This was deemed to be a hardening issue. We should update our docs to recommend that users go through the mongo security checklist: https://docs.mongodb.com/manual/security/
And stress the importance of not touching the default permissions of /etc/pulp/server.conf


Related issues

Copied to Pulp - Story #3279: Pulp should check that /etc/pulp/server.conf has the correct permission on server startCLOSED - WONTFIX

Actions

Also available in: Atom PDF