Actions
Issue #3278
closedPulp Installation Docs does not recommend additional steps user should take to set up a secure Pulp server
Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
2. Medium
Version:
Platform Release:
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Documentation, Pulp 2
Sprint:
Quarter:
Description
This issue is the result of a unembargoed vulnerability disclosure. to pulp-security list The exploit is as follows:
1If mongo runs without authentication on localhost and /etc/pulp/server.conf is misconfigured to be readable by non apache users, said user can call
from pulp.server.db.connection import initialize; initialize()
and do whatever they want in the database (reset password, raise their pulp privilege level)
This was deemed to be a hardening issue. We should update our docs to recommend that users go through the mongo security checklist: https://docs.mongodb.com/manual/security/
And stress the importance of not touching the default permissions of /etc/pulp/server.conf
Related issues
Actions