Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration file /etc/tendrl/etcd.yml with etcd root password is readable for every account #293

Closed
mbukatov opened this issue Sep 18, 2017 · 5 comments
Closed

Configuration file /etc/tendrl/etcd.yml with etcd root password is readable for every account #293

mbukatov opened this issue Sep 18, 2017 · 5 comments
Assignees
@TimothyAsir
Labels
bug packaging

Comments

@mbukatov
Copy link
Contributor

Description

Configuration file /etc/tendrl/etcd.yml can now contain username and password for etcd admin access, but the file is still packaged as world readable.

Version

Latest snapshot build from master branch (it's part of upcoming 1.5.2 version):

tendrl-api-1.5.2-20170916T041838.48452aa.noarch

Details

Details including reproducer, actual and expected results are similar to Tendrl/monitoring-integration#125, which you can refer to for more details:

# grep :password: /etc/tendrl/etcd.yml
  :password: 'twZONmWfcaSJayIlIzrQaNyBhusDVx'
  :password: 'twZONmWfcaSJayIlIzrQaNyBhusDVx'
  :password: 'twZONmWfcaSJayIlIzrQaNyBhusDVx'
# rpm -qf /etc/tendrl/etcd.yml
tendrl-api-1.5.2-20170916T041838.48452aa.noarch
# ls -l /etc/tendrl/etcd.yml
-rw-r--r--. 1 root root 405 Sep 18 12:58 /etc/tendrl/etcd.yml
# rpm -qV tendrl-api
S.5....T.  c /etc/tendrl/etcd.yml
@mbukatov mbukatov mentioned this issue Sep 18, 2017
Closed
@mbukatov
Copy link
Contributor Author

Package tendrl-api-1.5.2-20170921T125939.61d8945.noarch is still affected.

@anivargi anivargi added the bug label Sep 26, 2017
@mbukatov
Copy link
Contributor Author

@sidhax this seems like security related issue

@anivargi
Copy link
Contributor

@mbukatov we don't have support for username and password based etcd auth anymore, is this still relevant?

@mbukatov
Copy link
Contributor Author

@anivargi that is true, the support for password authentication has been removed, but now I see an option to provide passphrase (I guess that it's a passphrase for the ssl private key, right?), so it seems to me that it is still relevant.

TimothyAsirJeyasing added a commit to TimothyAsirJeyasing/tendrl-api that referenced this issue Oct 11, 2017
@TimothyAsirJeyasing
Change etcd.yml file permission to 640
270a77e 
tendrl-bug-id: Tendrl#293

Signed-off-by: Timothy Asir J <[email protected]>
@TimothyAsirJeyasing TimothyAsirJeyasing mentioned this issue Oct 11, 2017
Merged
anivargi pushed a commit that referenced this issue Oct 12, 2017
@TimothyAsirJeyasing @anivargi
Change etcd.yml file permission to 640
1a5d359 
tendrl-bug-id: #293

Signed-off-by: Timothy Asir J <[email protected]>
@TimothyAsirJeyasing
Copy link
Contributor

It is fixed now, We can close this.

@r0h4n r0h4n closed this as completed Nov 9, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TimothyAsir TimothyAsir

Labels
bug packaging
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@r0h4n @TimothyAsir @mbukatov @TimothyAsirJeyasing @anivargi