Project

Profile

Help

Issue #614

~/.pulp/ is world readable

Added by bmbouter almost 7 years ago. Updated almost 3 years ago.

Status:
CLOSED - CURRENTRELEASE
Priority:
High
Assignee:
Category:
-
Sprint/Milestone:
-
Start date:
Due date:
Estimated time:
Severity:
3. High
Version:
2.5
Platform Release:
2.6.0
OS:
Triaged:
Yes
Groomed:
No
Sprint Candidate:
No
Tags:
Pulp 2
Sprint:
Quarter:

Description

~/.pulp/ has permissions 775 which is insecure.

I expect ~/.pulp/ to have permissions 700 so that other users cannot read files within here. This is important for another bug [0] BZ 1159067 which puts username/password info into ~/.pulp/admin.conf

We can't automatically secure ~/.pulp/admin.conf because the user creates that file. We should set 700 on the folder level.

[0]: https://bugzilla.redhat.com/show_bug.cgi?id=1159067

+ This bug was cloned from Bugzilla Bug #1163451 +

History

#2 Updated by cduryee almost 7 years ago

fixed in pulp 2.6.0-0.2.beta

+ This comment was cloned from Bugzilla #1163451 comment 2 +

#3 Updated by igulina@redhat.com almost 7 years ago

Now if /root/.pulp/ doesn't have 0700 permissions, the warining will be shown with pulp-admin or pulp-consumer command.

rpm -qa | grep pulp-server

pulp-server-2.6.0-0.2.beta.fc20.noarch

pulp-admin login -u admin -p pass

Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

Successfully logged in. Session certificate will expire at Dec 30 22:53:54 2014
GMT.

chmod 0700 -R /root/.pulp/
pulp-admin login -u admin -p pass

Successfully logged in. Session certificate will expire at Dec 30 23:01:34 2014
GMT.

chmod 0740 -R /root/.pulp/
pulp-admin repo list --summary

Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

pulp-consumer status

Warning: path should have mode 0700 because it may contain sensitive information: /root/.pulp/

This consumer is not currently registered.

If it was deleted/moved, a new created folder ~/.pulp will have 0700.

mv ~/.pulp/ ~/.pulp_1/
pulp-consumer status

This consumer is not currently registered.

pulp-admin login -u admin -p wrongpass

The specified user does not have permission to execute the given command

ls -la ~/ | grep pulp

drwxr-xr-x. 2 root root 4096 Nov 4 13:53 for_pulp_uploads
drwx------. 2 root root 4096 Dec 24 00:03 .pulp
drwxr-----. 3 root root 4096 Dec 23 23:02 .pulp_1

+ This comment was cloned from Bugzilla #1163451 comment 3 +

#4 Updated by bmbouter almost 7 years ago

  • Severity changed from High to 3. High

#5 Updated by rbarlow over 6 years ago

  • Status changed from 6 to CLOSED - CURRENTRELEASE

#7 Updated by bmbouter almost 3 years ago

  • Tags Pulp 2 added

Please register to edit this issue

Also available in: Atom PDF