You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@allura.apache.org by Dave Brondsema <da...@brondsema.net> on 2016/09/09 19:29:40 UTC
[allura:tickets] #8127 Fix how we write the .google_authenticator file
---
** [tickets:#8127] Fix how we write the .google_authenticator file**
**Status:** review
**Milestone:** unreleased
**Labels:** security
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Fri Sep 09, 2016 07:29 PM UTC
**Owner:** Dave Brondsema
The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it. We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards. And best to do it atomically, with a file rename operation.
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8127 Fix how we write the .google_authenticator file
Posted by Dave Brondsema <da...@brondsema.net>.
db/8127
---
** [tickets:#8127] Fix how we write the .google_authenticator file**
**Status:** review
**Milestone:** unreleased
**Labels:** security
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Fri Sep 09, 2016 07:29 PM UTC
**Owner:** Dave Brondsema
The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it. We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards. And best to do it atomically, with a file rename operation.
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8127 Fix how we write the .google_authenticator file
Posted by Dave Brondsema <da...@brondsema.net>.
- **status**: review --> closed
---
** [tickets:#8127] Fix how we write the .google_authenticator file**
**Status:** closed
**Milestone:** unreleased
**Labels:** security
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Thu Sep 15, 2016 02:22 PM UTC
**Owner:** Dave Brondsema
The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it. We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards. And best to do it atomically, with a file rename operation.
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
[allura:tickets] #8127 Fix how we write the .google_authenticator file
Posted by Kenton Taylor <kt...@slashdotmedia.com>.
Looks good, clear to merge.
---
** [tickets:#8127] Fix how we write the .google_authenticator file**
**Status:** review
**Milestone:** unreleased
**Labels:** security
**Created:** Fri Sep 09, 2016 07:29 PM UTC by Dave Brondsema
**Last Updated:** Fri Sep 09, 2016 07:30 PM UTC
**Owner:** Dave Brondsema
The google authenticator PAM module will write the `.google_authenticator` files with permission `400 (-r--------)` and then Allura can't write to it. We also need to write it with `400` or `600` perms, so it is secure for PAM to use it afterwards. And best to do it atomically, with a file rename operation.
---
Sent from forge-allura.apache.org because dev@allura.apache.org is subscribed to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.