https://bugzilla.redhat.com/show_bug.cgi?id=766929 --- aeolus-conductor.spec.in | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/aeolus-conductor.spec.in b/aeolus-conductor.spec.in index 51a487c..53e1894 100644 --- a/aeolus-conductor.spec.in +++ b/aeolus-conductor.spec.in @@ -287,6 +287,7 @@ fi %{app_root}/config/database.pg %{app_root}/config/database.sqlite %config %{app_root}/config/*.yml +%attr(660, aeolus, aeolus) %{app_root}/config/database.yml %{app_root}/config.ru %{app_root}/db %{app_root}/dbomatic
On 12/21/2011 01:50 PM, John Eckersberg wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=766929
aeolus-conductor.spec.in | 1 + 1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/aeolus-conductor.spec.in b/aeolus-conductor.spec.in index 51a487c..53e1894 100644 --- a/aeolus-conductor.spec.in +++ b/aeolus-conductor.spec.in @@ -287,6 +287,7 @@ fi %{app_root}/config/database.pg %{app_root}/config/database.sqlite %config %{app_root}/config/*.yml +%attr(660, aeolus, aeolus) %{app_root}/config/database.yml %{app_root}/config.ru %{app_root}/db %{app_root}/dbomatic
Since database.yml is a copy of database.pg, we should do the same for the other database configuration files:
%{app_root}/config/database.mysql %{app_root}/config/database.pg %{app_root}/config/database.sqlite
We also have other files that shouldn't be world-readable:
config/oauth.json config/settings.yml config/initializers/secret_token.rb
Perhaps we should just set every file under the config directory to 660, aeolus.
Here's the updated patch, which more thoroughly covers everything under the config directory.
https://bugzilla.redhat.com/show_bug.cgi?id=766929
This will mark everything under config to only be accessible by the aeolus user/group. --- aeolus-conductor.spec.in | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/aeolus-conductor.spec.in b/aeolus-conductor.spec.in index aa49a29..ae31f90 100644 --- a/aeolus-conductor.spec.in +++ b/aeolus-conductor.spec.in @@ -278,6 +278,7 @@ fi %files %dir %{app_root} %{app_root}/app +%defattr(660,aeolus,aeolus,770) %dir %{app_root}/config %{app_root}/config/environments %{app_root}/config/initializers @@ -287,6 +288,7 @@ fi %{app_root}/config/database.pg %{app_root}/config/database.sqlite %config %{app_root}/config/*.yml +%defattr(-,root,root,-) %{app_root}/config.ru %{app_root}/db %{app_root}/dbomatic
On Thu, 5 Jan 2012 15:49:43 -0500, John Eckersberg jeckersb@redhat.com wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=766929
This will mark everything under config to only be accessible by the aeolus user/group.
aeolus-conductor.spec.in | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/aeolus-conductor.spec.in b/aeolus-conductor.spec.in index aa49a29..ae31f90 100644 --- a/aeolus-conductor.spec.in +++ b/aeolus-conductor.spec.in @@ -278,6 +278,7 @@ fi %files %dir %{app_root} %{app_root}/app +%defattr(660,aeolus,aeolus,770) %dir %{app_root}/config %{app_root}/config/environments %{app_root}/config/initializers @@ -287,6 +288,7 @@ fi %{app_root}/config/database.pg %{app_root}/config/database.sqlite %config %{app_root}/config/*.yml +%defattr(-,root,root,-) %{app_root}/config.ru %{app_root}/db %{app_root}/dbomatic -- 1.7.7.5
Bump, can someone sanity check this and verify I am not totally ruining things in some unforseen way?
On 05/01/12 15:49 -0500, John Eckersberg wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=766929
This will mark everything under config to only be accessible by the aeolus user/group.
aeolus-conductor.spec.in | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/aeolus-conductor.spec.in b/aeolus-conductor.spec.in index aa49a29..ae31f90 100644 --- a/aeolus-conductor.spec.in +++ b/aeolus-conductor.spec.in @@ -278,6 +278,7 @@ fi %files %dir %{app_root} %{app_root}/app +%defattr(660,aeolus,aeolus,770) %dir %{app_root}/config %{app_root}/config/environments %{app_root}/config/initializers @@ -287,6 +288,7 @@ fi %{app_root}/config/database.pg %{app_root}/config/database.sqlite %config %{app_root}/config/*.yml +%defattr(-,root,root,-) %{app_root}/config.ru %{app_root}/db %{app_root}/dbomatic -- 1.7.7.5
Ack
On 05/01/12 15:49 -0500, John Eckersberg wrote:
https://bugzilla.redhat.com/show_bug.cgi?id=766929
This will mark everything under config to only be accessible by the aeolus user/group.
aeolus-conductor.spec.in | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/aeolus-conductor.spec.in b/aeolus-conductor.spec.in index aa49a29..ae31f90 100644 --- a/aeolus-conductor.spec.in +++ b/aeolus-conductor.spec.in @@ -278,6 +278,7 @@ fi %files %dir %{app_root} %{app_root}/app +%defattr(660,aeolus,aeolus,770) %dir %{app_root}/config %{app_root}/config/environments %{app_root}/config/initializers @@ -287,6 +288,7 @@ fi %{app_root}/config/database.pg %{app_root}/config/database.sqlite %config %{app_root}/config/*.yml +%defattr(-,root,root,-) %{app_root}/config.ru %{app_root}/db %{app_root}/dbomatic -- 1.7.7.5
Flag on the play, patch under further review
Here's an updated patch. We realized that only root should be able to write to the config directory. We don't want the running app to be able to modify the configuration, that would be a security hole.
https://bugzilla.redhat.com/show_bug.cgi?id=766929
This will mark everything under config to be read/write only by root, and read-only by the aeolus group. --- aeolus-conductor.spec.in | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/aeolus-conductor.spec.in b/aeolus-conductor.spec.in index 0ccfb9d..e6a2659 100644 --- a/aeolus-conductor.spec.in +++ b/aeolus-conductor.spec.in @@ -278,6 +278,7 @@ fi %files %dir %{app_root} %{app_root}/app +%defattr(640,root,aeolus,750) %dir %{app_root}/config %{app_root}/config/environments %{app_root}/config/initializers @@ -287,6 +288,7 @@ fi %{app_root}/config/database.pg %{app_root}/config/database.sqlite %config %{app_root}/config/*.yml +%defattr(-,root,root,-) %{app_root}/config.ru %{app_root}/db %{app_root}/dbomatic
aeolus-devel@lists.fedorahosted.org