Bug 221734 - net-mgmt/icinga2: api-users.conf has world readability access (oct 644) and contains passwords!
Summary: net-mgmt/icinga2: api-users.conf has world readability access (oct 644) and c...
Status: Closed Works As Intended
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Lars Engels
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-23 08:05 UTC by O. Hartmann
Modified: 2018-10-12 12:35 UTC (History)
2 users (show)

See Also:
bugzilla: maintainer-feedback? (lme)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description O. Hartmann 2017-08-23 08:05:10 UTC 
When installing port net-mgmt/icinga2 and someone intends to use satellites/zones, the icinga feature "API" needs to be enabled and setup.

When performing a trivial CLI command sequence "icinga2 api setup", a standard file is installed in the FreeBSD standard installation path called

/usr/local/etc/icinga2/conf.d/api-users.conf

which has the follwoing access settings:

 -rw-r--r--  1 root  wheel   281 Aug 22 07:43 api-users.conf

So the file, although containing sensitive passwords for the remote API access, has world readability!

Changing the access rights with "chmod 600" ends up in a Compile error from icinga2 core, as well as "chmod 640", because icinga2 core is running uid:gid "icinga:icinga".

I performed "chown icinga:wheel api-users.conf" and "chmod 600 api-users.conf" to gain maximum protection - not aware of any other implications so far.
Comment 1 Walter Schwarzenfeld freebsd_triage 2018-02-08 11:13:32 UTC 
Feedback please.
Comment 2 Lars Engels freebsd_committer freebsd_triage 2018-10-12 12:35:58 UTC 
The icinga2 binary itself creates the file when you run "icinga2 api setup".
It's up to the upstream developers to change the file permissions.