You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2016/09/09 19:29:40 UTC

[allura:tickets] #8127 Fix how we write the .google_authenticator file



---

** [tickets:#8127] Fix how we write the .google_authenticator file**

**Status:** review
**Milestone:** unreleased
**Labels:** security 
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Fri Sep 09, 2016 07:29 PM UTC
**Owner:** Dave Brondsema


The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it.  We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #8127 Fix how we write the .google_authenticator file

Posted by Dave Brondsema <da...@brondsema.net>.

db/8127


---

** [tickets:#8127] Fix how we write the .google_authenticator file**

**Status:** review
**Milestone:** unreleased
**Labels:** security 
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Fri Sep 09, 2016 07:29 PM UTC
**Owner:** Dave Brondsema


The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it.  We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #8127 Fix how we write the .google_authenticator file

Posted by Dave Brondsema <da...@brondsema.net>.

- **status**: review --> closed



---

** [tickets:#8127] Fix how we write the .google_authenticator file**

**Status:** closed
**Milestone:** unreleased
**Labels:** security 
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Thu Sep 15, 2016 02:22 PM UTC
**Owner:** Dave Brondsema


The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it.  We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.

[allura:tickets] #8127 Fix how we write the .google_authenticator file

Posted by Kenton Taylor <kt...@slashdotmedia.com>.

Looks good, clear to merge.


---

** [tickets:#8127] Fix how we write the .google_authenticator file**

**Status:** review
**Milestone:** unreleased
**Labels:** security 
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Fri Sep 09, 2016 07:30 PM UTC
**Owner:** Dave Brondsema


The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it.  We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards.  And best to do it atomically, with a file rename operation.


---

Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/

To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options.  Or, if this is a mailing list, you can unsubscribe from the mailing list.