Actions
Bug #8503
closed
Files in /var/local/rudder/ncf are world readable
Bug #8503:
Files in /var/local/rudder/ncf are world readable
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:
Description
Perms in /var/local/rudder/ncf are 755 on the Rudder server, so everyone can read them
Updated by Nicolas CHARLES almost 10 years ago
- Subject changed from File on /var/local/rudder/ncf are world readable on the Rudder server to File on /var/local/rudder/ncf are world readable
It is even worse, in versoin pre-3.2, files are also 755 on the nodes, so a non priviledge user can read them !
Updated by Alexis Mousset almost 10 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset almost 10 years ago
List of stored user specified parameters/variables (on latest 3.1):
| Node type | Path | Content | Current permissions |
| all | /var/rudder/ncf/local/50_techniques/ | ncf technique | root:root 644 |
| all | /var/rudder/cfengine-community/outputs/ | parameters in reports | root:root 644 (dir), 600 (files) |
| all | /var/rudder/cfengine-community/inputs/rudder_expected_reports.* | ncf expected reports | root:root 600 |
| all | /var/rudder/cfengine-community/inputs/ | Rudder directive content | root:root 600 |
| policy server | /var/rudder/configuration-repository/ncf/50_techniques/ | ncf technique | ncf-api-venv:rudder 644 (root server) root:root 600 (relay) |
| policy server | /var/rudder/share/ | ncf expected reports, Rudder directive content | root:root 600 (relay) root:root 660/600 (policy server) |
| policy server | /var/rudder/configuration-repository/shared-files/ | shared files | root:rudder 644 (server) ? root:root 600 (relay) |
| root server | /var/rudder/configuration-repository/techniques/ncf_techniques/ | ncf expected reports and metadata | ncf-api-venv:rudder 660 |
| root server | /var/rudder/configuration-repository/directives/ | ncf technique parameters | root:root 660 |
| root server | /var/rudder/configuration-repository/directives/ | Rudder directive parameters | root:root 660 |
Files transfers were all checked (and fixed) in #8159.
Updated by Alexis Mousset almost 10 years ago
We should decide and document properly what is public and private (directives vs. techniques, generic methods vs. it_ops_knowledge, etc.)
Updated by Alexis Mousset almost 10 years ago
To fix this we need:
- Correct umask for ncf-builder
- Correct permissions in the copy_from for ncf local
- Migration scripts on the server side to set correct perms on configuration-repository/techniques/ncf_techniques/
- On the nodes, the permissions will be fixed as soon as the new system techniques are downloaded
Updated by Vincent MEMBRÉ almost 10 years ago
Awesome tables by Alexis Mousset are awesome
Updated by Alexis Mousset almost 10 years ago
- Related to User story #8607: Document security level of Rudder content added
Updated by Vincent MEMBRÉ over 9 years ago
- Target version changed from 2.11.23 to 2.11.24
Updated by Alexis Mousset over 9 years ago
- Subject changed from File on /var/local/rudder/ncf are world readable to Files in /var/local/rudder/ncf are world readable
Updated by Alexis Mousset over 9 years ago
- Status changed from In progress to Pending technical review
Updated by Alexis Mousset over 9 years ago
- Status changed from Pending technical review to Pending release
Updated by Alexis Mousset over 9 years ago
- Target version changed from 2.11.24 to 2.11.23
Updated by Alexis Mousset over 9 years ago
Updated by Vincent MEMBRÉ almost 7 years ago
- Private changed from Yes to No
- Priority set to 0
Actions