Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 23 Aug 2017 08:05:10 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-ports-bugs@FreeBSD.org
Subject:   [Bug 221734] net-mgmt/icinga2: api-users.conf has world readability access (oct 644) and contains passwords!
Message-ID:  <bug-221734-13@https.bugs.freebsd.org/bugzilla/>

next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221734

            Bug ID: 221734
           Summary: net-mgmt/icinga2: api-users.conf has world readability
                    access (oct 644) and contains passwords!
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Many People
          Priority: ---
         Component: Individual Port(s)
          Assignee: lme@FreeBSD.org
          Reporter: ohartmann@walstatt.org
          Assignee: lme@FreeBSD.org
             Flags: maintainer-feedback?(lme@FreeBSD.org)

When installing port net-mgmt/icinga2 and someone intends to use
satellites/zones, the icinga feature "API" needs to be enabled and setup.

When performing a trivial CLI command sequence "icinga2 api setup", a stand=
ard
file is installed in the FreeBSD standard installation path called

/usr/local/etc/icinga2/conf.d/api-users.conf

which has the follwoing access settings:

 -rw-r--r--  1 root  wheel   281 Aug 22 07:43 api-users.conf

So the file, although containing sensitive passwords for the remote API acc=
ess,
has world readability!

Changing the access rights with "chmod 600" ends up in a Compile error from
icinga2 core, as well as "chmod 640", because icinga2 core is running uid:g=
id
"icinga:icinga".

I performed "chown icinga:wheel api-users.conf" and "chmod 600 api-users.co=
nf"
to gain maximum protection - not aware of any other implications so far.

--=20
You are receiving this mail because:
You are the assignee for the bug.=



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221734-13>