Bug 194636 - net-mgmt/icinga2: serious security issue with ido-pgsql.conf/ido-mysql.conf
Summary: net-mgmt/icinga2: serious security issue with ido-pgsql.conf/ido-mysql.conf
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: freebsd-ports-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-10-27 17:28 UTC by O. Hartmann
Modified: 2014-10-27 20:07 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description O. Hartmann 2014-10-27 17:28:55 UTC
Port net-mgmt/icinga2 provides gathering of status and monitoring informations via IDO in an appropriate DB backend, prefereably PostgreSQL or MySQL. For accessing the proper database, the module-configuration file has to be edited manually to match the correct login/database credetilas. This means one has to put the login and password for the DB access in /usr/local/etc/icinga2/feature-avalable/ido-pgsql.conf (or ido-mysql.conf, if MySQL backend is preferred).

The access mode for all files is set to octal 644, so world has read access to the content. This is considered a security issue. I was able to prevent the file from being read by strangers by setting all access bits to 640 octal and change the group to "icinga" - which is the standard icinga user created when installing the port net-mgmt/icinga2 and under which ID the icinga2 daemon is running.
Comment 1 Bugzilla Automation freebsd_committer 2014-10-27 17:28:55 UTC
Maintainers CC'd
Comment 2 commit-hook freebsd_committer 2014-10-27 20:07:17 UTC
A commit references this bug:

Author: lme
Date: Mon Oct 27 20:07:02 UTC 2014
New revision: 371606
URL: https://svnweb.freebsd.org/changeset/ports/371606

Log:
  - Chown icinga:icinga and chmod 640 on etc/icinga2/feature-avalable/ido-{pgsql,mysql}.conf so normal users can't spy on the database passwords
  - Bump PORTREVISION

  PR:		194636
  Submitted by:	Oliver Hartmann <ohartman@zedat.fu-berlin.de>

Changes:
  head/net-mgmt/icinga2/Makefile
  head/net-mgmt/icinga2/pkg-plist
Comment 3 Lars Engels freebsd_committer 2014-10-27 20:07:56 UTC
Thanks for catching this! Fix committed.