Return-Path: <dev-return-7902-archive-asf-public=cust-asf.ponee.io@allura.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id B8B18200B85
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Thu, 15 Sep 2016 16:28:52 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id B75B3160AC6; Thu, 15 Sep 2016 14:28:52 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id 0B43C160ABA
	for <archive-asf-public@cust-asf.ponee.io>; Thu, 15 Sep 2016 16:28:51 +0200 (CEST)
Received: (qmail 1263 invoked by uid 500); 15 Sep 2016 14:28:51 -0000
Mailing-List: contact dev-help@allura.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@allura.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@allura.apache.org>
List-Post: <mailto:dev@allura.apache.org>
List-Id: <dev.allura.apache.org>
Reply-To: dev@allura.apache.org
Delivered-To: mailing list dev@allura.apache.org
Received: (qmail 1251 invoked by uid 99); 15 Sep 2016 14:28:51 -0000
Received: from allura-vm.apache.org (HELO allura-vm) (140.211.11.147)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Sep 2016 14:28:50 +0000
Received: from allura-vm.apache.org (localhost [127.0.0.1])
	by allura-vm (Postfix) with ESMTPS id CD2A4280126
	for <dev@allura.apache.org>; Thu, 15 Sep 2016 14:28:50 +0000 (UTC)
Content-Type: multipart/related;
 boundary="===============2035771658520260709=="
MIME-Version: 1.0
To: dev@allura.apache.org
From: "Dave Brondsema" <dave@brondsema.net>
Reply-To: "[allura:tickets] " <8127@tickets.allura.p.forge-allura.apache.org>
Subject: [allura:tickets] #8127 Fix how we write the .google_authenticator file
Message-ID: </p/allura/tickets/8127/d61e14ae510c9b9251a394cbaf5c34c876c061f8.tickets@allura.p.forge-allura.apache.org>
Sender: tickets@allura.p.forge-allura.apache.org
In-Reply-To: <57d30da16d19cd7a0c9fd80b.tickets@allura.p.forge-allura.apache.org>
References: <57d30da16d19cd7a0c9fd80b.tickets@allura.p.forge-allura.apache.org>
Date: Thu, 15 Sep 2016 14:28:50 +0000 (UTC)
archived-at: Thu, 15 Sep 2016 14:28:52 -0000

--===============2035771658520260709==
Content-Type: multipart/alternative;
 boundary="===============3196028101480314353=="
MIME-Version: 1.0

--===============3196028101480314353==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

- **status**: review --> closed



---

** [tickets:#8127] Fix how we write the .google_authenticator file**

**Status:** closed
**Milestone:** unreleased
**Labels:** security 
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Thu Sep 15, 2016 02:22 PM UTC
**Owner:** Dave Brondsema


The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it.  We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.
--===============3196028101480314353==
MIME-Version: 1.0
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit

<div class="markdown_content"><ul>
<li><strong>status</strong>: review --&gt; closed</li>
</ul>
<hr/>
<p><strong> <a class="alink strikethrough" href="https://forge-allura.apache.org/p/allura/tickets/8127/">[tickets:#8127]</a> Fix how we write the .google_authenticator file</strong></p>
<p><strong>Status:</strong> closed<br/>
<strong>Milestone:</strong> unreleased<br/>
<strong>Labels:</strong> security <br/>
<strong>Created:</strong> Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema<br/>
<strong>Last Updated:</strong> Thu Sep 15, 2016 02:22 PM UTC<br/>
<strong>Owner:</strong> Dave Brondsema</p>
<p>The google authenticator PAM module will write the <code>.google_authenticator</code> files with permission <code>400 (-r--------)</code> and then Allura can't write to it.  We also need to write it with <code>400</code> or <code>600</code> perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.</p>
<hr/>
<p>Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to <a href="https://forge-allura.apache.org/p/allura/tickets/" rel="nofollow">https://forge-allura.apache.org/p/allura/tickets/</a></p>
<p>To unsubscribe from further messages, a project admin can change settings at <a href="https://forge-allura.apache.org/p/allura/admin/tickets/options." rel="nofollow">https://forge-allura.apache.org/p/allura/admin/tickets/options.</a>  Or, if this is a mailing list, you can unsubscribe from the mailing list.</p></div>
--===============3196028101480314353==--

--===============2035771658520260709==--