Project

General

Profile

Bug #32827

Set sendmail location and arguments via puppet/installer

Added by Lukas Zapletal 3 months ago. Updated 3 months ago.

Status:
Closed
Priority:
Normal
Category:
Foreman modules
Target version:
-
Difficulty:
Triaged:
No
Bugzilla link:
Fixed in Releases:
Found in Releases:

Description

We have a setting to set sendmail location/arguments in the UI/CLI/API however this brought some issues with security:

https://github.com/theforeman/foreman/pull/8599#issuecomment-863225804

As a better long term solution, it would be great to set both settings in settings.yaml via puppet, they automatically override UI and there is a warning info icon informing users that the setting is read only and editable only via settings.yaml.


Related issues

Related to Foreman - Bug #32753: CVE-2021-3584: Remote code execution through Sendmail configurationClosed

Associated revisions

Revision 6c902a4f (diff)
Added by Ewoud Kohl van Wijngaarden 3 months ago

Fixes #32827 - Add sendmail config options

As part of CVE-2021-3584 the option email_sendmail_location was limited
to just 4 choices. This allows admins to set it via settings.yaml. The
idea is that if you can edit settings.yaml, you're already compromised
while UI could be less protected.

When a setting is present in settings.yaml, the option becomes read-only
in the UI.

If the options are not set, they don't show up in settings.yaml.

History

#1 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Related to Bug #32753: CVE-2021-3584: Remote code execution through Sendmail configuration added

#2 Updated by The Foreman Bot 3 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/961 added

#3 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Assignee deleted (Ewoud Kohl van Wijngaarden)
  • Status changed from Ready For Testing to New
  • Pull request deleted (https://github.com/theforeman/puppet-foreman/pull/961)

Testing bot integration

#4 Updated by The Foreman Bot 3 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/961 added

#5 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Status changed from Ready For Testing to New
  • Pull request deleted (https://github.com/theforeman/puppet-foreman/pull/961)

Again, apologies for the spam.

#6 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Assignee deleted (Ewoud Kohl van Wijngaarden)

#7 Updated by The Foreman Bot 3 months ago

  • Assignee set to Ewoud Kohl van Wijngaarden
  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/puppet-foreman/pull/961 added

#8 Updated by The Foreman Bot 3 months ago

  • Fixed in Releases 3.0.0 added

#9 Updated by Ewoud Kohl van Wijngaarden 3 months ago

  • Status changed from Ready For Testing to Closed

Also available in: Atom PDF