Project

Profile

Help

Issue #614

closed

~/.pulp/ is world readable

Added by bmbouter about 9 years ago. Updated almost 5 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.5
Platform Release:
2.6.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

~/.pulp/ has permissions 775 which is insecure.

I expect ~/.pulp/ to have permissions 700 so that other users cannot read files within here. This is important for another bug [0] BZ 1159067 which puts username/password info into ~/.pulp/admin.conf

We can't automatically secure ~/.pulp/admin.conf because the user creates that file. We should set 700 on the folder level.

[0]: https://bugzilla.redhat.com/show_bug.cgi?id=1159067

+ This bug was cloned from Bugzilla Bug #1163451 +

Actions #2

Updated by cduryee about 9 years ago

fixed in pulp 2.6.0-0.2.beta

+ This comment was cloned from Bugzilla #1163451 comment 2 +

Actions #3

Updated by igulina@redhat.com about 9 years ago

Now if /root/.pulp/ doesn't have 0700 permissions, the warining will be shown with pulp-admin or pulp-consumer command.

rpm -qa | grep pulp-server

pulp-server-2.6.0-0.2.beta.fc20.noarch

pulp-admin login -u admin -p pass

Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

Successfully logged in. Session certificate will expire at Dec 30 22:53:54 2014
GMT.

chmod 0700 -R /root/.pulp/
pulp-admin login -u admin -p pass

Successfully logged in. Session certificate will expire at Dec 30 23:01:34 2014
GMT.

chmod 0740 -R /root/.pulp/
pulp-admin repo list --summary

Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

pulp-consumer status

Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

This consumer is not currently registered.

If it was deleted/moved, a new created folder ~/.pulp will have 0700.

mv ~/.pulp/ ~/.pulp_1/
pulp-consumer status

This consumer is not currently registered.

pulp-admin login -u admin -p wrongpass

The specified user does not have permission to execute the given command

ls -la ~/ | grep pulp

drwxr-xr-x. 2 root root 4096 Nov 4 13:53 for_pulp_uploads
drwx------. 2 root root 4096 Dec 24 00:03 .pulp
drwxr-----. 3 root root 4096 Dec 23 23:02 .pulp_1

+ This comment was cloned from Bugzilla #1163451 comment 3 +

Actions #4

Updated by bmbouter almost 9 years ago

  • Severity changed from High to 3. High
Actions #5

Updated by rbarlow almost 9 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE
Actions #7

Updated by bmbouter almost 5 years ago

  • Tags Pulp 2 added

Also available in: Atom PDF