Project

Profile

Help

Story #3279

closed

Pulp should check that /etc/pulp/server.conf has the correct permission on server start

Added by bizhang over 4 years ago. Updated over 3 years ago.

Status:
CLOSED - WONTFIX
Priority:
Normal
Assignee:
-
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Platform Release:
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

This issue is the result of a unembargoed vulnerability disclosure. to pulp-security list The exploit is as follows:

1If mongo runs without authentication on localhost and /etc/pulp/server.conf is misconfigured to be readable by non apache users, said user can call
from pulp.server.db.connection import initialize; initialize()
and do whatever they want in the database (reset password, raise their pulp privilege level)

As a security improvement we could validate that permissions on /etc/pulp/server.conf is set correctly before the pulp server is able to start.
The correct permission is 600 with apache as owner and group.


Related issues

Copied from Pulp - Issue #3278: Pulp Installation Docs does not recommend additional steps user should take to set up a secure Pulp serverCLOSED - WONTFIXActions

Also available in: Atom PDF