Bug #4648
Updated by Marek Hulán over 10 years ago
/tmp/default_values.yaml file has world readable permissions and does not check for existence when it's being created. Therefore it's prone to race-condition attacks. This file contains default values for all parameters (usually autogenerated passwords)
Proposed fix steps:
# we'll use mktmpdir which will be passed to kafo_configure puppet module as a parameter
# kafo_configure puppet module will safely create file (check for non-existence, create file with 0600, then dumps data)
# packages (rpm, deb, gem) will remove any existing /tmp/default_values.yaml