ambari-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Onischuk (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AMBARI-13087) Verify if restricting acls on /var/lib/ambari-agent/data will be OK
Date Mon, 14 Sep 2015 11:55:46 GMT
Andrew Onischuk created AMBARI-13087:
----------------------------------------

             Summary: Verify if restricting acls on /var/lib/ambari-agent/data will be OK
                 Key: AMBARI-13087
                 URL: https://issues.apache.org/jira/browse/AMBARI-13087
             Project: Ambari
          Issue Type: Bug
            Reporter: Andrew Onischuk
            Assignee: Andrew Onischuk
             Fix For: 2.1.2


**DO NOT CREATE AN EXTERNAL APACHE JIRA**  
Add the findings to this JIRA. This is a potential security issue and hence a
different process needs to be followed.

1\. the permissions of the /var/lib/ambari-agent/data folder is 0744. The data
folder contains output and error streams from all ambari agents’ commands. If
a script prints any of its parameters to the screen, such as passwords, either
while succeeding, or when an exception is thrown, then all users on the system
are able to read this data. Unless we’re mistaken, the correct permissions on
this folder should be 0700.

2\. The permissions of the /var/lib/ambari-agent/keys/<hostname>.key private
key is set to 0644. This makes the private key of the ambari agent publically
readable. As far as we know, ambari agents talk to the server with SSL using
the key placed here (if SSL is enabled). We think that within a short amount
of time it is possible for any user on the system to craft the call to the
ambari server pretending to be the ambari agent heartbeat, and intercept all
configurations being sent to the ambari agent. These configurations contain
all parameters of the cluster, and are therefore prone to containing admin
passwords, it undermines the SSL encryption completely. Unless we’re mistaken,
the correct permissions should be 0600.

Further suggestions:  
chmod -R 0600 /var/lib/ambari-agent/data  
chmod -R a+X /var/lib/ambari-agent/data  
chmod -R a+rx /var/lib/ambari-agent/data/tmp  
chmod 0600 /var/lib/ambari-agent/keys/*.key

Ideally ambari would separate out this temporary directory and even smartly
review creation of files to be chowned to the correct user. These scripts
often are created from templates and may then also possibly contain passwords.

**DO NOT CREATE AN EXTERNAL APACHE JIRA**





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message