[Ovirt-devel] [PATCH server] secure the perissions on the ovirt.pp manifest file
Joey Boggs
jboggs at redhat.com
Thu Feb 26 21:51:13 UTC 2009
Jeremy Katz wrote:
> On Wednesday, February 25 2009, Joey Boggs said:
>
>> Secures the permissions on ovirt.pp to only allow only root read/write access all other 000
>>
> [snip]
>
>> diff --git a/installer/bin/ovirt-installer b/installer/bin/ovirt-installer
>> index 3ba9813..4832cde 100755
>> --- a/installer/bin/ovirt-installer
>> +++ b/installer/bin/ovirt-installer
>> @@ -295,7 +295,7 @@ FileUtils.mkdir_p("/usr/share/ace/appliances/ovirt")
>> config_file = File.new("/usr/share/ace/appliances/ovirt/ovirt.pp", "w")
>> config_file.write(ERB.new(template, 0, "%>").result)
>> config_file.close()
>> -
>> +File.chmod 0700, '/usr/share/ace/appliances/ovirt/ovirt.pp'
>>
>
> Does it need to be executable or can it be 0600? Also, there's a race
> here where someone can read the file before the chmod occurs -- better
> would be to get the permissions set properly initially, either by
> setting a umask or an initial mode for the file (not sure what ruby
> supports for the latter)
>
> Jeremy
>
> _______________________________________________
> Ovirt-devel mailing list
> Ovirt-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/ovirt-devel
>
If we move the chmod right after the file is created is that better or
wrong since the file is open while we performing the operation? Set to
600 as well
----------------------------------------------------------------
FileUtils.mkdir_p("/usr/share/ace/appliances/ovirt")
config_file = File.new("/usr/share/ace/appliances/ovirt/ovirt.pp", "w")
File.chmod 0600, '/usr/share/ace/appliances/ovirt/ovirt.pp'
config_file.write(ERB.new(template, 0, "%>").result)
config_file.close()
----------------------------------------------------------------
More information about the ovirt-devel
mailing list