Joey Boggs
2009-Feb-25 21:04 UTC
[Ovirt-devel] [PATCH server] secure the perissions on the ovirt.pp manifest file
Secures the permissions on ovirt.pp to only allow only root read/write access
all other 000
---
installer/bin/ovirt-installer | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/installer/bin/ovirt-installer b/installer/bin/ovirt-installer
index 3ba9813..4832cde 100755
--- a/installer/bin/ovirt-installer
+++ b/installer/bin/ovirt-installer
@@ -295,7 +295,7 @@
FileUtils.mkdir_p("/usr/share/ace/appliances/ovirt")
config_file = File.new("/usr/share/ace/appliances/ovirt/ovirt.pp",
"w")
config_file.write(ERB.new(template, 0, "%>").result)
config_file.close()
-
+File.chmod 0700, '/usr/share/ace/appliances/ovirt/ovirt.pp'
# Give a friendly reminder about what to do next
puts "\nTo start the installation run: ace install ovirt"
--
1.6.0.6
Jeremy Katz
2009-Feb-25 21:14 UTC
[Ovirt-devel] [PATCH server] secure the perissions on the ovirt.pp manifest file
On Wednesday, February 25 2009, Joey Boggs said:> Secures the permissions on ovirt.pp to only allow only root read/write access all other 000[snip]> diff --git a/installer/bin/ovirt-installer b/installer/bin/ovirt-installer > index 3ba9813..4832cde 100755 > --- a/installer/bin/ovirt-installer > +++ b/installer/bin/ovirt-installer > @@ -295,7 +295,7 @@ FileUtils.mkdir_p("/usr/share/ace/appliances/ovirt") > config_file = File.new("/usr/share/ace/appliances/ovirt/ovirt.pp", "w") > config_file.write(ERB.new(template, 0, "%>").result) > config_file.close() > - > +File.chmod 0700, '/usr/share/ace/appliances/ovirt/ovirt.pp'Does it need to be executable or can it be 0600? Also, there's a race here where someone can read the file before the chmod occurs -- better would be to get the permissions set properly initially, either by setting a umask or an initial mode for the file (not sure what ruby supports for the latter) Jeremy
Joey Boggs
2009-Mar-02 15:33 UTC
[Ovirt-devel] [PATCH server] secure the perissions on the ovirt.pp manifest file
Jeremy Katz wrote:> On Monday, March 02 2009, Joey Boggs said: > >> Jeremy Katz wrote: >> >>> On Thursday, February 26 2009, Joey Boggs said: >>> >>>> Jeremy Katz wrote: >>>> >>>>> On Wednesday, February 25 2009, Joey Boggs said: >>>>> >>>>>> Secures the permissions on ovirt.pp to only allow only root read/write access all other 000 >>>>>> >>> [snip] >>> >>>> If we move the chmod right after the file is created is that better >>>> or wrong since the file is open while we performing the operation? >>>> Set to 600 as well >>>> >>> >>> >>>> ---------------------------------------------------------------- >>>> FileUtils.mkdir_p("/usr/share/ace/appliances/ovirt") >>>> config_file = File.new("/usr/share/ace/appliances/ovirt/ovirt.pp", "w") >>>> File.chmod 0600, '/usr/share/ace/appliances/ovirt/ovirt.pp' >>>> >>> A quick look at the ruby docs and File.new takes a permission argument. >>> So config_file = File.new("/path", "w", 0600) should be better[1] >>> >>> >> Last go at it :) >> > > Looks good > > Jeremy >pushed