Date: Wed, 23 Aug 2017 08:05:10 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 221734] net-mgmt/icinga2: api-users.conf has world readability access (oct 644) and contains passwords! Message-ID: <bug-221734-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221734 Bug ID: 221734 Summary: net-mgmt/icinga2: api-users.conf has world readability access (oct 644) and contains passwords! Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: Individual Port(s) Assignee: lme@FreeBSD.org Reporter: ohartmann@walstatt.org Assignee: lme@FreeBSD.org Flags: maintainer-feedback?(lme@FreeBSD.org) When installing port net-mgmt/icinga2 and someone intends to use satellites/zones, the icinga feature "API" needs to be enabled and setup. When performing a trivial CLI command sequence "icinga2 api setup", a stand= ard file is installed in the FreeBSD standard installation path called /usr/local/etc/icinga2/conf.d/api-users.conf which has the follwoing access settings: -rw-r--r-- 1 root wheel 281 Aug 22 07:43 api-users.conf So the file, although containing sensitive passwords for the remote API acc= ess, has world readability! Changing the access rights with "chmod 600" ends up in a Compile error from icinga2 core, as well as "chmod 640", because icinga2 core is running uid:g= id "icinga:icinga". I performed "chown icinga:wheel api-users.conf" and "chmod 600 api-users.co= nf" to gain maximum protection - not aware of any other implications so far. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221734-13>