[Ovirt-devel] [PATCH server] secure the perissions on the ovirt.pp manifest file
Jeremy Katz
katzj at redhat.com
Wed Feb 25 21:14:37 UTC 2009
On Wednesday, February 25 2009, Joey Boggs said:
> Secures the permissions on ovirt.pp to only allow only root read/write access all other 000
[snip]
> diff --git a/installer/bin/ovirt-installer b/installer/bin/ovirt-installer
> index 3ba9813..4832cde 100755
> --- a/installer/bin/ovirt-installer
> +++ b/installer/bin/ovirt-installer
> @@ -295,7 +295,7 @@ FileUtils.mkdir_p("/usr/share/ace/appliances/ovirt")
> config_file = File.new("/usr/share/ace/appliances/ovirt/ovirt.pp", "w")
> config_file.write(ERB.new(template, 0, "%>").result)
> config_file.close()
> -
> +File.chmod 0700, '/usr/share/ace/appliances/ovirt/ovirt.pp'
Does it need to be executable or can it be 0600? Also, there's a race
here where someone can read the file before the chmod occurs -- better
would be to get the permissions set properly initially, either by
setting a umask or an initial mode for the file (not sure what ruby
supports for the latter)
Jeremy
More information about the ovirt-devel
mailing list