salt-ssh temporary files - insecure permissions #40075
Labels
Bug
broken, incorrect, or confusing behavior
fixed-pls-verify
fix is linked, bug author to confirm fix
P1
Priority 1
Salt-SSH
severity-critical
top severity, seen by most users, serious issues
severity-high
2nd top severity, seen by most users, causes major problems
ZRELEASED - 2016.11.4
Milestone
When salt-ssh sets up it's temporary location (eg.
/var/tmp/.root_xxxx_salt
), the files contained (eg./var/tmp/.root_xxxx_salt/running_data/var/cache/salt/minion/files
) are 0644. Some of these files may well contain sensitive data such as private keys (which when installed will be set to 0600 by the state).The permissions may be inherited from the salt-master, but if these files come from a backend such as gitfs, they seem to have 0644 in the master gitfs cache (which in itself is a problem!)
Run the following state with
salt-ssh
and check the files located in the temporary directory on the remote host. Themykey.key
file will beThe text was updated successfully, but these errors were encountered: