Actions
Bug #8503
closed
Files in /var/local/rudder/ncf are world readable
Added by Nicolas CHARLES over 8 years ago. Updated over 5 years ago.
Pull Request:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:
Description
Perms in /var/local/rudder/ncf are 755 on the Rudder server, so everyone can read them
Updated by Nicolas CHARLES over 8 years ago
- Subject changed from File on /var/local/rudder/ncf are world readable on the Rudder server to File on /var/local/rudder/ncf are world readable
It is even worse, in versoin pre-3.2, files are also 755 on the nodes, so a non priviledge user can read them !
Updated by Alexis Mousset over 8 years ago
- Status changed from New to In progress
- Assignee set to Alexis Mousset
Updated by Alexis Mousset over 8 years ago
List of stored user specified parameters/variables (on latest 3.1):
| Node type | Path | Content | Current permissions |
| all | /var/rudder/ncf/local/50_techniques/ | ncf technique | root:root 644 |
| all | /var/rudder/cfengine-community/outputs/ | parameters in reports | root:root 644 (dir), 600 (files) |
| all | /var/rudder/cfengine-community/inputs/rudder_expected_reports.* | ncf expected reports | root:root 600 |
| all | /var/rudder/cfengine-community/inputs/ | Rudder directive content | root:root 600 |
| policy server | /var/rudder/configuration-repository/ncf/50_techniques/ | ncf technique | ncf-api-venv:rudder 644 (root server) root:root 600 (relay) |
| policy server | /var/rudder/share/ | ncf expected reports, Rudder directive content | root:root 600 (relay) root:root 660/600 (policy server) |
| policy server | /var/rudder/configuration-repository/shared-files/ | shared files | root:rudder 644 (server) ? root:root 600 (relay) |
| root server | /var/rudder/configuration-repository/techniques/ncf_techniques/ | ncf expected reports and metadata | ncf-api-venv:rudder 660 |
| root server | /var/rudder/configuration-repository/directives/ | ncf technique parameters | root:root 660 |
| root server | /var/rudder/configuration-repository/directives/ | Rudder directive parameters | root:root 660 |
Files transfers were all checked (and fixed) in #8159.
Updated by Alexis Mousset over 8 years ago
We should decide and document properly what is public and private (directives vs. techniques, generic methods vs. it_ops_knowledge, etc.)
Updated by Alexis Mousset over 8 years ago
To fix this we need:
- Correct umask for ncf-builder
- Correct permissions in the copy_from for ncf local
- Migration scripts on the server side to set correct perms on configuration-repository/techniques/ncf_techniques/
- On the nodes, the permissions will be fixed as soon as the new system techniques are downloaded
Updated by Vincent MEMBRÉ over 8 years ago
Awesome tables by Alexis Mousset are awesome
Updated by Alexis Mousset over 8 years ago
- Related to User story #8607: Document security level of Rudder content added
Updated by Vincent MEMBRÉ over 8 years ago
- Target version changed from 2.11.23 to 2.11.24
Updated by Alexis Mousset over 8 years ago
- Subject changed from File on /var/local/rudder/ncf are world readable to Files in /var/local/rudder/ncf are world readable
Updated by Alexis Mousset over 8 years ago
- Status changed from In progress to Pending technical review
Updated by Alexis Mousset over 8 years ago
- Status changed from Pending technical review to Pending release
Updated by Alexis Mousset over 8 years ago
- Target version changed from 2.11.24 to 2.11.23
Updated by Alexis Mousset over 8 years ago
- Status changed from Pending release to Released
Updated by Vincent MEMBRÉ over 5 years ago
- Private changed from Yes to No
- Priority set to 0
Actions