Project

General

Profile

Actions

Bug #8503

closed

Files in /var/local/rudder/ncf are world readable

Added by Nicolas CHARLES over 8 years ago. Updated over 5 years ago.

Status:
Released
Priority:
N/A
Category:
System techniques
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

Perms in /var/local/rudder/ncf are 755 on the Rudder server, so everyone can read them


Subtasks 3 (0 open3 closed)

Bug #8601: Fix rights on /var/rudder/ncf/local/50_techniques/ in the copy bodyReleasedNicolas CHARLESActions
Bug #8602: Fix permissions in ncf apache conf and add fixes in migration scriptsReleasedNicolas CHARLESActions
Bug #8966: Fix rights on /var/rudder/ncf/local/50_techniques/ in the copy body - wrong merge in 3.1ReleasedBenoît PECCATTEActions

Related issues 1 (0 open1 closed)

Related to Rudder - User story #8607: Document security level of Rudder contentReleasedFrançois ARMANDActions
Actions #1

Updated by Nicolas CHARLES over 8 years ago

  • Subject changed from File on /var/local/rudder/ncf are world readable on the Rudder server to File on /var/local/rudder/ncf are world readable

It is even worse, in versoin pre-3.2, files are also 755 on the nodes, so a non priviledge user can read them !

Actions #2

Updated by Alexis Mousset over 8 years ago

  • Status changed from New to In progress
  • Assignee set to Alexis Mousset
Actions #3

Updated by Alexis Mousset over 8 years ago

List of stored user specified parameters/variables (on latest 3.1):

Node type Path Content Current permissions
all /var/rudder/ncf/local/50_techniques/ ncf technique root:root 644
all /var/rudder/cfengine-community/outputs/ parameters in reports root:root 644 (dir), 600 (files)
all /var/rudder/cfengine-community/inputs/rudder_expected_reports.* ncf expected reports root:root 600
all /var/rudder/cfengine-community/inputs/ Rudder directive content root:root 600
policy server /var/rudder/configuration-repository/ncf/50_techniques/ ncf technique ncf-api-venv:rudder 644 (root server)
root:root 600 (relay)
policy server /var/rudder/share/ ncf expected reports, Rudder directive content root:root 600 (relay)
root:root 660/600 (policy server)
policy server /var/rudder/configuration-repository/shared-files/ shared files root:rudder 644 (server) ?
root:root 600 (relay)
root server /var/rudder/configuration-repository/techniques/ncf_techniques/ ncf expected reports and metadata ncf-api-venv:rudder 660
root server /var/rudder/configuration-repository/directives/ ncf technique parameters root:root 660
root server /var/rudder/configuration-repository/directives/ Rudder directive parameters root:root 660

Files transfers were all checked (and fixed) in #8159.

Actions #4

Updated by Alexis Mousset over 8 years ago

We should decide and document properly what is public and private (directives vs. techniques, generic methods vs. it_ops_knowledge, etc.)

Actions #5

Updated by Alexis Mousset over 8 years ago

To fix this we need:
  • Correct umask for ncf-builder
  • Correct permissions in the copy_from for ncf local
  • Migration scripts on the server side to set correct perms on configuration-repository/techniques/ncf_techniques/
  • On the nodes, the permissions will be fixed as soon as the new system techniques are downloaded
Actions #6

Updated by Vincent MEMBRÉ over 8 years ago

Awesome tables by Alexis Mousset are awesome

Actions #7

Updated by Alexis Mousset over 8 years ago

Actions #8

Updated by Vincent MEMBRÉ over 8 years ago

  • Target version changed from 2.11.23 to 2.11.24
Actions #9

Updated by Alexis Mousset over 8 years ago

  • Subject changed from File on /var/local/rudder/ncf are world readable to Files in /var/local/rudder/ncf are world readable
Actions #10

Updated by Alexis Mousset over 8 years ago

  • Status changed from In progress to Pending technical review
Actions #11

Updated by Alexis Mousset over 8 years ago

  • Status changed from Pending technical review to Pending release
Actions #12

Updated by Alexis Mousset over 8 years ago

  • Target version changed from 2.11.24 to 2.11.23
Actions #13

Updated by Alexis Mousset over 8 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.23, 3.1.12 and 3.2.5 which were released today.

Actions #14

Updated by Vincent MEMBRÉ over 5 years ago

  • Private changed from Yes to No
  • Priority set to 0
Actions

Also available in: Atom PDF