Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-8046

[Doc'd 2.1.0] config.dat and other potentially security sensitive files are world readable in world readable directories

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.0, 2.0.1
    • Fix Version/s: 2.1.0
    • Component/s: installer, ns_server
    • Security Level: Public
    • Labels:
      None

      Description

      SUBJ. Everything appears to be world-readable. Data files, config, cookie files, etc.

      No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        ns_server side fix is in http://review.couchbase.org/25579

        But at least rpm packaging needs to be fixed as well. Patch for that is in gerrit.

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - ns_server side fix is in http://review.couchbase.org/25579 But at least rpm packaging needs to be fixed as well. Patch for that is in gerrit.
        Hide
        anil Anil Kumar added a comment -

        Waiting for code-review.

        Show
        anil Anil Kumar added a comment - Waiting for code-review.
        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        Merged two fixes

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - Merged two fixes
        Hide
        maria Maria McDuff (Inactive) added a comment -

        pls verify on 2.0.2 build. thanks.

        Show
        maria Maria McDuff (Inactive) added a comment - pls verify on 2.0.2 build. thanks.
        Hide
        shashank Shashank Gupta added a comment -

        Verified using build 2.0.2-767-rel.

        Show
        shashank Shashank Gupta added a comment - Verified using build 2.0.2-767-rel.
        Hide
        alkondratenko Aleksey Kondratenko (Inactive) added a comment -

        Worth documenting imho. See Bin's comment MB-8239 about needing root.

        Here's what I'd add to release notes:

        Since couchbase server 2.0.2 some internal directories are not world readable anymore. On multiuser systems that was a security issue. Which is now closed. It will affect people trying to run cbcollect_info under non-root accounts because cbcollect_info will be unable to see many details about couchbase server. Which was quite limited before, but since 2.0.2 it's nearly totally invisible.

        Show
        alkondratenko Aleksey Kondratenko (Inactive) added a comment - Worth documenting imho. See Bin's comment MB-8239 about needing root. Here's what I'd add to release notes: Since couchbase server 2.0.2 some internal directories are not world readable anymore. On multiuser systems that was a security issue. Which is now closed. It will affect people trying to run cbcollect_info under non-root accounts because cbcollect_info will be unable to see many details about couchbase server. Which was quite limited before, but since 2.0.2 it's nearly totally invisible.
        Hide
        anil Anil Kumar added a comment -

        Karen, release notes candidate. this ticket and MB-8239 has more info.

        Show
        anil Anil Kumar added a comment - Karen, release notes candidate. this ticket and MB-8239 has more info.
        Hide
        kzeller kzeller added a comment -

        Added to RN 2.1.0:

        <rnentry>

        <version ver="2.1.0a"/>

        <class id="cmdline"/>

        <rntext>

        <para>
        For earlier versions of Couchbase Server, some internal server directories were accessible all users, which was a security issue.
        This is now fixed. The fix now means that you should have root privileges when you run <command>cbcollect_info</command> because
        this tool needs this access level to collect all the information it needs to collect about the server. For more information
        about <command>cbcollect_info</command>, see <xref linkend="couchbase-admin-cmdline-cbcollect_info" />.
        </para>

        </rntext>

        </rnentry>

        Added to cbcollect_info chapter:

        <para>As of Couchbase Server 2.1.0+ you will need a root account to run this command and collect
        all the server information needed. There are internal server files and directories that this
        tool accesses which require root privileges.</para>

        Show
        kzeller kzeller added a comment - Added to RN 2.1.0: <rnentry> <version ver="2.1.0a"/> <class id="cmdline"/> <rntext> <para> For earlier versions of Couchbase Server, some internal server directories were accessible all users, which was a security issue. This is now fixed. The fix now means that you should have root privileges when you run <command>cbcollect_info</command> because this tool needs this access level to collect all the information it needs to collect about the server. For more information about <command>cbcollect_info</command>, see <xref linkend="couchbase-admin-cmdline-cbcollect_info" />. </para> </rntext> </rnentry> Added to cbcollect_info chapter: <para>As of Couchbase Server 2.1.0+ you will need a root account to run this command and collect all the server information needed. There are internal server files and directories that this tool accesses which require root privileges.</para>

          People

          • Assignee:
            kzeller kzeller
            Reporter:
            alkondratenko Aleksey Kondratenko (Inactive)
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Gerrit Reviews

              There are no open Gerrit changes