Openfire (ARCHIVED)

Logs should not be world readable

Details

  • Type: Bug Bug
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: None
  • Fix Version/s: 3.4.4
  • Component/s: Core
  • Labels:
    None
  • Environment:

    Unix based installs at a minimum

  • Acceptance Test - Add?:
    No

Description

The log directory should not be world readable. This could post a security concern if you allow untrusted people to log into your server or access your file system on the server in some way. Why you would do that I do not know, but we should use proper permissions none-the-less.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Daniel Henninger added a comment -

Looking over this a bit, there's more that shouldn't be world readable. Really openfire's home directory shouldn't be world readable. In theory someone getting on the machine could easily cd to /opt/openfire/conf and look at your ldap password info or database info. Could go into /opt/openfire/enterprise and 'borrow' your license. Could go into /opt/openfire/resources/security and borrow your keystores and such. None of these are good.

Show
Daniel Henninger added a comment - Looking over this a bit, there's more that shouldn't be world readable. Really openfire's home directory shouldn't be world readable. In theory someone getting on the machine could easily cd to /opt/openfire/conf and look at your ldap password info or database info. Could go into /opt/openfire/enterprise and 'borrow' your license. Could go into /opt/openfire/resources/security and borrow your keystores and such. None of these are good.
Hide
Permalink
Daniel Henninger added a comment -

So.. things to check:

  • Solaris package
  • RPM package
  • DEB package
  • Mac package
Show
Daniel Henninger added a comment - So.. things to check:
  • Solaris package
  • RPM package
  • DEB package
  • Mac package
Hide
Permalink
Daniel Henninger added a comment -

RPM, check.

Show
Daniel Henninger added a comment - RPM, check.
Hide
Permalink
Daniel Henninger added a comment -

Debian, check.

Show
Daniel Henninger added a comment - Debian, check.
Hide
Permalink
Daniel Henninger added a comment -

Solaris and Mac, check.

Show
Daniel Henninger added a comment - Solaris and Mac, check.
Hide
Permalink
Daniel Henninger added a comment -

Enterprise, check. Done.

Show
Daniel Henninger added a comment - Enterprise, check. Done.
Hide
Permalink
Francisco Vives added a comment -

There was an error installing the .deb on debian. The package requires sun-java5-jre but it was installed sun-java6-jre. The package may check for sun-java6-jre | sun-java5-jre. Attached is the installation log deb_installation.log.

After installing the RPM in a Fedora environment, openfire couldn't write the output log because of permission denied.

Show
Francisco Vives added a comment - There was an error installing the .deb on debian. The package requires sun-java5-jre but it was installed sun-java6-jre. The package may check for sun-java6-jre | sun-java5-jre. Attached is the installation log deb_installation.log. After installing the RPM in a Fedora environment, openfire couldn't write the output log because of permission denied.

People

Vote (1)
Watch (0)

Dates

  • Created:
    Updated:
    Resolved:
Atlassian JIRA (v4.4.3#663-r165197) | Report a problem
Powered by a free Atlassian JIRA open source license for igniterealtime.org. Try JIRA - bug tracking software for your team.