•  
      request #14771 Default permissions on configuration path and files are too open
    Infos
    #14771
    Manuel Vacelet (vaceletm)
    2020-05-13 08:52
    2020-04-09 14:56
    16039
    Details
    Default permissions on configuration path and files are too open

    On new RHEL7 install /etc/tuleap/conf/database.inc is readable by too much users.

    Tuleap sets too wide permissions on its configuration files making possible to get access to secrets.

    Impact

    An attacker with a shell account on the server can read /etc/tuleap/conf/database.inc and can read/write on the database. It must be noted the possibility for users to have a shell account is not enabled by default and requires specific configuration from the system administrators. Users must also have granted a shell access by a site administrator.
    CVSSv3.1 score: 6.6 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)

    References

    CWE-276

    Installation process
    All
    EL7 (CentOS|RHEL)
    • [ ] enhancement
    • [ ] internal improvement
    Empty
    Stage
    Manuel Vacelet (vaceletm)
    Closed
    2020-04-10
    Attachments
    Empty
    References

    Follow-ups

    User avatar
    Thomas Gerbet (tgerbet)2020-04-09 15:51
    • Original Submission
      Something went wrong, the follow up content couldn't be loaded
      Only formatting have been changed, you should switch to markup to see the changes