Andrew Onischuk created AMBARI-13087: ----------------------------------------
Summary: Verify if restricting acls on /var/lib/ambari-agent/data will be OK Key: AMBARI-13087 URL: https://issues.apache.org/jira/browse/AMBARI-13087 Project: Ambari Issue Type: Bug Reporter: Andrew Onischuk Assignee: Andrew Onischuk Fix For: 2.1.2 **DO NOT CREATE AN EXTERNAL APACHE JIRA** Add the findings to this JIRA. This is a potential security issue and hence a different process needs to be followed. 1\. the permissions of the /var/lib/ambari-agent/data folder is 0744. The data folder contains output and error streams from all ambari agents’ commands. If a script prints any of its parameters to the screen, such as passwords, either while succeeding, or when an exception is thrown, then all users on the system are able to read this data. Unless we’re mistaken, the correct permissions on this folder should be 0700. 2\. The permissions of the /var/lib/ambari-agent/keys/<hostname>.key private key is set to 0644. This makes the private key of the ambari agent publically readable. As far as we know, ambari agents talk to the server with SSL using the key placed here (if SSL is enabled). We think that within a short amount of time it is possible for any user on the system to craft the call to the ambari server pretending to be the ambari agent heartbeat, and intercept all configurations being sent to the ambari agent. These configurations contain all parameters of the cluster, and are therefore prone to containing admin passwords, it undermines the SSL encryption completely. Unless we’re mistaken, the correct permissions should be 0600. Further suggestions: chmod -R 0600 /var/lib/ambari-agent/data chmod -R a+X /var/lib/ambari-agent/data chmod -R a+rx /var/lib/ambari-agent/data/tmp chmod 0600 /var/lib/ambari-agent/keys/*.key Ideally ambari would separate out this temporary directory and even smartly review creation of files to be chowned to the correct user. These scripts often are created from templates and may then also possibly contain passwords. **DO NOT CREATE AN EXTERNAL APACHE JIRA** -- This message was sent by Atlassian JIRA (v6.3.4#6332)