From 75e462560ba9bafcd4fe1e05b3d1cf15c23b8162 Mon Sep 17 00:00:00 2001 From: Tomas Kopecek Date: Sep 07 2020 07:42:16 +0000 Subject: PR#2474: stricter config file permissions Merges #2474 https://pagure.io/koji/pull-request/2474 Fixes: #2124 https://pagure.io/koji/issue/2124 Incorrect perms on hub/web config --- diff --git a/docs/source/server_howto.rst b/docs/source/server_howto.rst index 26d9e7e..da80aff 100644 --- a/docs/source/server_howto.rst +++ b/docs/source/server_howto.rst @@ -648,6 +648,7 @@ Configuration Files ------------------- * ``/etc/koji-hub/hub.conf`` +* ``/etc/koji-hub/hub.conf.d/*`` * ``/etc/httpd/conf/httpd.conf`` * ``/etc/httpd/conf.d/kojihub.conf`` * ``/etc/httpd/conf.d/ssl.conf`` (when using ssl auth) @@ -766,6 +767,16 @@ Apache to connect to the remote PostgreSQL server:: root@localhost$ setsebool -P httpd_can_network_connect_db=1 +Note, that database connection parameters (password) are sensitive values. +Config is installed by default with 0640 root/apache file permissions. If you're +not installing hub from rpm double-check these permissions. + +Furthermore, you can install any config file in ``/etc/koji-hub/hub.conf.d`` +directory. These files are read *at first* and main config is allowed to +override all these values. So, you can use e.g. +``/etc/koji-hub/hub.conf.d/secret.conf`` for sensitive values. Typical usecase +for separate config is :doc:`policy ` configuration file. + Authentication Configuration ---------------------------- @@ -914,6 +925,7 @@ Configuration Files * ``/etc/httpd/conf.d/kojiweb.conf`` * ``/etc/httpd/conf.d/ssl.conf`` * ``/etc/kojiweb/web.conf`` +* ``/etc/kojiweb/web.conf.d/*`` Install Koji-Web ---------------- @@ -973,7 +985,14 @@ it should use to access the hub, the koji packages and its own web interface. You will also need to tell kojiweb where it can find the SSL certificates for each of these components. If you are using SSL authentication, the "WebCert" line below must contain both the public **and** private key. You will also want -to change the last line in the example below to a unique password. +to change the last line in the example below to a unique password. Also check +the file permissions (due to Secret value) if you're not installing koji web +from rpm (0640, root/apache by default). + +Furthermore, you can install any config file in ``/etc/kojiweb/web.conf.d`` +directory. These files are read *at first* and main config is allowed to +override all these values. So, you can use e.g. +``/etc/kojiweb/web.conf.d/secret.conf`` for sensitive values. :: diff --git a/hub/hub.conf b/hub/hub.conf index 8b14bc2..dae14da 100644 --- a/hub/hub.conf +++ b/hub/hub.conf @@ -11,6 +11,7 @@ DBName = koji DBUser = koji #DBHost = db.example.com #DBPort = 5432 +#Note, that db password is sensitive and this file shouldn't be publicly readable. #DBPass = example_password KojiDir = /mnt/koji diff --git a/koji.spec b/koji.spec index 6d3b2ae..8ba39e9 100644 --- a/koji.spec +++ b/koji.spec @@ -500,9 +500,9 @@ rm -rf $RPM_BUILD_ROOT %if 0%{py3_support} > 1 %files hub -%config(noreplace) /etc/httpd/conf.d/kojihub.conf +%config(noreplace) %attr(0640, root, apache) /etc/httpd/conf.d/kojihub.conf %dir /etc/koji-hub -%config(noreplace) /etc/koji-hub/hub.conf +%config(noreplace) %attr(0640, root, apache) /etc/koji-hub/hub.conf %dir /etc/koji-hub/hub.conf.d %{_sbindir}/koji-sweep-db %if %{use_systemd} diff --git a/www/conf/web.conf b/www/conf/web.conf index cd176b0..2be8578 100644 --- a/www/conf/web.conf +++ b/www/conf/web.conf @@ -21,7 +21,7 @@ KojiFilesURL = http://server.example.com/kojifiles LoginTimeout = 72 -# This must be changed and uncommented before deployment +# This must be CHANGED to random value and uncommented before deployment # Secret = CHANGE_ME LibPath = /usr/share/koji-web/lib