You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ambari.apache.org by "Andrew Onischuk (JIRA)" <ji...@apache.org> on 2015/09/14 13:57:46 UTC

[jira] [Updated] (AMBARI-13087) Verify if restricting acls on /var/lib/ambari-agent/data will be OK

     [ https://issues.apache.org/jira/browse/AMBARI-13087?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andrew Onischuk updated AMBARI-13087:
-------------------------------------
    Description:     (was: **DO NOT CREATE AN EXTERNAL APACHE JIRA**  
Add the findings to this JIRA. This is a potential security issue and hence a
different process needs to be followed.

1\. the permissions of the /var/lib/ambari-agent/data folder is 0744. The data
folder contains output and error streams from all ambari agents’ commands. If
a script prints any of its parameters to the screen, such as passwords, either
while succeeding, or when an exception is thrown, then all users on the system
are able to read this data. Unless we’re mistaken, the correct permissions on
this folder should be 0700.

2\. The permissions of the /var/lib/ambari-agent/keys/<hostname>.key private
key is set to 0644. This makes the private key of the ambari agent publically
readable. As far as we know, ambari agents talk to the server with SSL using
the key placed here (if SSL is enabled). We think that within a short amount
of time it is possible for any user on the system to craft the call to the
ambari server pretending to be the ambari agent heartbeat, and intercept all
configurations being sent to the ambari agent. These configurations contain
all parameters of the cluster, and are therefore prone to containing admin
passwords, it undermines the SSL encryption completely. Unless we’re mistaken,
the correct permissions should be 0600.

Further suggestions:  
chmod -R 0600 /var/lib/ambari-agent/data  
chmod -R a+X /var/lib/ambari-agent/data  
chmod -R a+rx /var/lib/ambari-agent/data/tmp  
chmod 0600 /var/lib/ambari-agent/keys/*.key

Ideally ambari would separate out this temporary directory and even smartly
review creation of files to be chowned to the correct user. These scripts
often are created from templates and may then also possibly contain passwords.

**DO NOT CREATE AN EXTERNAL APACHE JIRA**

)

> Verify if restricting acls on /var/lib/ambari-agent/data will be OK
> -------------------------------------------------------------------
>
>                 Key: AMBARI-13087
>                 URL: https://issues.apache.org/jira/browse/AMBARI-13087
>             Project: Ambari
>          Issue Type: Bug
>            Reporter: Andrew Onischuk
>            Assignee: Andrew Onischuk
>             Fix For: 2.1.2
>
>




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)