stable
Clone or download
Read-only
request #14771 Default permissions on configuration path and files are too open
I choose the conservative path (and easier to test) by only touching to directories instead of files on existing platforms. The current situation is that files (local.inc and database.inc) are owned by root:root and have 644 mode so anyone on the system can read db creads. On existing installations, the folders (/etc/tuleap/* will be owned by codendiadm but with 750 mode so the leak will be contained. On new installations, same but in addition to that database.inc is owned by root:codendiadm with 640 mode so only root can modify the conf (we prevent from a RCE that would allow to alter the conf by codendiadm) and nobody but codendiadm can read. Change-Id: I8912196a214d011bc17fe1b0845a47977bce540f
Modified Files
Name | ||||
---|---|---|---|---|
M | tools/rpm/tuleap.rhel7.spec | +14 | −0 | Go to diff View file |
M | tools/setup.el7.sh | +4 | −7 | Go to diff View file |
M | tools/setup/el7/include/setup.sh | +0 | −11 | Go to diff View file |