Project

General

Profile

Bug #4648

Updated by Marek Hulán almost 6 years ago

/tmp/default_values.yaml file has world readable permissions and does not check for existence when it's being created. Therefore it's prone to race-condition attacks. This file contains default values for all parameters (usually autogenerated passwords)

Proposed fix steps:
# we'll use mktmpdir which will be passed to kafo_configure puppet module as a parameter
# kafo_configure puppet module will safely create file (check for non-existence, create file with 0600, then dumps data)
# packages (rpm, deb, gem) will remove any existing /tmp/default_values.yaml

Back