Return-Path: <dev-return-7901-archive-asf-public=cust-asf.ponee.io@allura.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id B7087200B85
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 15 Sep 2016 16:22:29 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id B5820160AB7; Thu, 15 Sep 2016 14:22:29 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 2EC44160AB5
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 15 Sep 2016 16:22:29 +0200 (CEST)
Received: (qmail 62634 invoked by uid 500); 15 Sep 2016 14:22:28 -0000
Mailing-List: contact dev-help@allura.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@allura.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@allura.apache.org>
List-Post: <mailto:dev@allura.apache.org>
List-Id: <dev.allura.apache.org>
Reply-To: dev@allura.apache.org
Delivered-To: mailing list dev@allura.apache.org
Received: (qmail 62623 invoked by uid 99); 15 Sep 2016 14:22:28 -0000
Received: from allura-vm.apache.org (HELO allura-vm) (140.211.11.147)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Sep 2016 14:22:28 +0000
Received: from allura-vm.apache.org (localhost [127.0.0.1])
	by allura-vm (Postfix) with ESMTPS id F1BE528028C
	for <dev@allura.apache.org>; Thu, 15 Sep 2016 14:22:27 +0000 (UTC)
Content-Type: multipart/related;
 boundary="===============7461169091021519864=="
MIME-Version: 1.0
To: dev@allura.apache.org
From: "Kenton Taylor" <ktaylor@slashdotmedia.com>
Reply-To: "[allura:tickets] " <8127@tickets.allura.p.forge-allura.apache.org>
Subject: [allura:tickets] #8127 Fix how we write the .google_authenticator file
Message-ID: </p/allura/tickets/8127/575d1e7fa67f0c53c8ae622a06e8852b9ec654fd.tickets@allura.p.forge-allura.apache.org>
Sender: tickets@allura.p.forge-allura.apache.org
In-Reply-To: <57d30da16d19cd7a0c9fd80b.tickets@allura.p.forge-allura.apache.org>
References: <57d30da16d19cd7a0c9fd80b.tickets@allura.p.forge-allura.apache.org>
Date: Thu, 15 Sep 2016 14:22:27 +0000 (UTC)
archived-at: Thu, 15 Sep 2016 14:22:29 -0000

--===============7461169091021519864==
Content-Type: multipart/alternative;
 boundary="===============1546091530317937260=="
MIME-Version: 1.0

--===============1546091530317937260==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Looks good, clear to merge.


---

** [tickets:#8127] Fix how we write the .google_authenticator file**

**Status:** review
**Milestone:** unreleased
**Labels:** security 
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Fri Sep 09, 2016 07:30 PM UTC
**Owner:** Dave Brondsema


The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it.  We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
--===============1546091530317937260==
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

<div class="markdown_content"><p>Looks good, clear to merge.</p>
<hr/>
<p><strong> <a class="alink" href="https://forge-allura.apache.org/p/allura/tickets/8127/">[tickets:#8127]</a> Fix how we write the .google_authenticator file</strong></p>
<p><strong>Status:</strong> review<br/>
<strong>Milestone:</strong> unreleased<br/>
<strong>Labels:</strong> security <br/>
<strong>Created:</strong> Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema<br/>
<strong>Last Updated:</strong> Fri Sep 09, 2016 07:30 PM UTC<br/>
<strong>Owner:</strong> Dave Brondsema</p>
<p>The google authenticator PAM module will write the <code>.google_authenticator</code> files with permission <code>400 (-r--------)</code> and then Allura can't write to it.  We also need to write it with <code>400</code> or <code>600</code> perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.</p>
<hr/>
<p>Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to <a href="https://forge-allura.apache.org/p/allura/tickets/" rel="nofollow">https://forge-allura.apache.org/p/allura/tickets/</a></p>
<p>To unsubscribe from further messages, a project admin can change settings at <a href="https://forge-allura.apache.org/p/allura/admin/tickets/options." rel="nofollow">https://forge-allura.apache.org/p/allura/admin/tickets/options.</a>  Or, if this is a mailing list, you can unsubscribe from the mailing list.</p></div>
--===============1546091530317937260==--

--===============7461169091021519864==--