Public

Project privacy set to public. By default, its content is available to everyone (authenticated or not). Please note that more restrictive permissions might exist on some items.

stable

Clone or download

Read-only

request #14771 Default permissions on configuration path and files are too open

Download Browse

I choose the conservative path (and easier to test) by only touching to directories instead of files on existing platforms. The current situation is that files (local.inc and database.inc) are owned by root:root and have 644 mode so anyone on the system can read db creads. On existing installations, the folders (/etc/tuleap/* will be owned by codendiadm but with 750 mode so the leak will be contained. On new installations, same but in addition to that database.inc is owned by root:codendiadm with 640 mode so only root can modify the conf (we prevent from a RCE that would allow to alter the conf by codendiadm) and nobody but codendiadm can read. Change-Id: I8912196a214d011bc17fe1b0845a47977bce540f

+18 −18
Manuel Vacelet (vaceletm) 2020-04-09 13:48
Manuel Vacelet (vaceletm) 2020-04-09 17:35
d5cbaaafaf5ad35153538769f5f55742bc65bac5
c7961f90641d7e9dfbfce3ca5101f9a3cf3a762c
git #tuleap/stable/d5cbaaafaf5ad35153538769f5f55742bc65bac5

Modified Files

Side by side diff
Inline diff
Name
M tools/rpm/tuleap.rhel7.spec +14 −0 Go to diff View file
M tools/setup.el7.sh +4 −7 Go to diff View file
M tools/setup/el7/include/setup.sh +0 −11 Go to diff View file