Actions
Story #3279
closedPulp should check that /etc/pulp/server.conf has the correct permission on server start
Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:
0%
Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:
Description
This issue is the result of a unembargoed vulnerability disclosure. to pulp-security list The exploit is as follows:
1If mongo runs without authentication on localhost and /etc/pulp/server.conf is misconfigured to be readable by non apache users, said user can call
from pulp.server.db.connection import initialize; initialize()
and do whatever they want in the database (reset password, raise their pulp privilege level)
As a security improvement we could validate that permissions on /etc/pulp/server.conf is set correctly before the pulp server is able to start.
The correct permission is 600 with apache as owner and group.
Related issues
Updated by bizhang over 6 years ago
- Copied from Issue #3278: Pulp Installation Docs does not recommend additional steps user should take to set up a secure Pulp server added
Updated by bmbouter about 5 years ago
- Status changed from NEW to CLOSED - WONTFIX
Actions