Project

General

Profile

Bug #4648

Updated by Marek Hulán over 10 years ago

/tmp/default_values.yaml file has world readable permissions and does not check for existence when it's being created. Therefore it's prone to race-condition attacks. This file contains default values for all parameters (usually autogenerated passwords) 

 Proposed fix steps: 
 # we'll use mktmpdir which will be passed to kafo_configure puppet module as a parameter 
 # kafo_configure puppet module will safely create file (check for non-existence, create file with 0600, then dumps data) 
 # packages (rpm, deb, gem) will remove any existing /tmp/default_values.yaml

Back