New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
879094 - CVE-2012-5561 - fix permissions on /etc/katello/secure #1349
Conversation
|
thanks to @kseifriedredhat for all of the help! |
|
ACK nice find. |
| @@ -708,6 +708,10 @@ test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN | |||
| getent group %{name} >/dev/null || groupadd -r %{name} -g 182 | |||
| getent passwd %{name} >/dev/null || \ | |||
| useradd -r -g %{name} -d %{homedir} -u 182 -s /sbin/nologin -c "Katello" %{name} | |||
| # add tomcat & katello to the katello shared group for reading sensitive files | |||
| groupadd katello-shared | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will fail if group already exist. Should be:
getent group katello-shared >/dev/null || groupadd -r %{name}
You may want to allocate static id for katello-shared group (see bz 804204 how to do it), hmmm and why we could not use katello group in first place?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/04/2013 02:21 AM, Miroslav Suchý wrote:
In src/katello.spec:
@@ -708,6 +708,10 @@ test -f
$TOKEN || (echo $ (</dev/urandom tr
-dc A-Za-z0-9 | head -c128) > $TOKEN getent group %{name}/dev/null || groupadd -r %{name} -g 182 getent passwd %{name}
/dev/null || \ useradd -r -g %{name} -d %{homedir} -u 182 -s
/sbin/nologin -c "Katello" %{name} +# add tomcat & katello to the
katello shared group for reading sensitive files +groupadd
katello-sharedThis will fail if group already exist. Should be: getent group
katello-shared >/dev/null || groupadd -r %{name} You may want to
allocate static id for katello-shared group (see bz 804204 how to
do it), hmmm and why we could not use katello group in first
place?
Because more than just katello needs access to this file apparently,
so adding like tomcat to the katello group would be a huge exposure.
Better to minimize the exposure to just the file(s) needed by using a
special group. Longer term my understanding is pulp/candlepin/etc
might need access to this file as well.
— Reply to this email directly or view it on GitHub
https://github.com/Katello/katello/pull/1349/files#r2548308.
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQ5qgAAAoJEBYNRVNeJnmTT20QANi3h12OnF864fyCpXDR6xUk
FMXVDAjoQP7DSTgkDvpDggYjI18Y5sKOAQLQlZapfX/5uV/7+e1nD+oGQeY5Uonp
lJBLBehUhHp7Zx7ghbHVoIZlpkVLJYS7vIqmtgNOm19Q4iJHl5x5jb75Y/mK5b41
ehiyUQTmbaDqQhcm1V8BJbLz5OKFB13nW2eqRARLOEpiTgn6OmN+B2PPBBQYxgij
EGDbF1uSBAoYTu2mMSSzfzA4ZFh0BewIGfascn7+SDfGTPcIAvTafq+oepiOgT0v
FffF9l7Bu7V+Ylk+6kUBISbf6yLi9Twh+rZDmZYMKt7dpYd88kF1PdarOBfxScAt
h5YzvG9VwflfHRKoDH2fGQl2UEZHj4NR1cNymNSJThfSVRh7BkMSnvvctbiKC9PT
deM0ap8bRJxQok1WhvsIJe+A6B6drAiAaQO0r5McZzRomxTyPMbA1YRJ2xdT0H7g
Tx5H+GXqVN+tGLLDeAK5NZa5L0H/GEqPkGoclysB5uS1HNuRJoLPlRAvlYjyJSZp
ut4rPYf+5/VZCVFBnGOM7y9UBtUvtcaKMSnBol7aW/R7fyFBunVLKkwDJqZKrznQ
6C30nUNcFUK9t4KAAnJDaIjjpdT+Z9tegSICbpoqokvBgQsTQo/jU6Kr2JVlBImb
2lOVmpuXeKYavrTknozV
=sJ1S
-----END PGP SIGNATURE-----
| @@ -708,6 +708,10 @@ test -f $TOKEN || (echo $(</dev/urandom tr -dc A-Za-z0-9 | head -c128) > $TOKEN | |||
| getent group %{name} >/dev/null || groupadd -r %{name} -g 182 | |||
| getent passwd %{name} >/dev/null || \ | |||
| useradd -r -g %{name} -d %{homedir} -u 182 -s /sbin/nologin -c "Katello" %{name} | |||
| # add tomcat & katello to the katello shared group for reading sensitive files | |||
| getent group katello-shared > /dev/null || groupadd -r katello-shared | |||
| usermod -a -G katello-shared tomcat | |||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and user tomcat do not have to exist in this moment.
You should probably move this one line to %post section of headpin and katello (those top packages)
and change
Requires: candlepin-tomcat6
to
Requires(post): candlepin-tomcat6
to make sure tomcat exist in post phase.
|
ACK |
879094 - CVE-2012-5561 - fix permissions on /etc/katello/secure
No description provided.