Re: [ovirt-users] Problem with reporting
----- Original Message -----
From: "Sven Kieske" <S.Kieske(a)mittwald.de>
To: "Alon Bar-Lev" <alonbl(a)redhat.com>
Cc: users(a)ovirt.org
Sent: Monday, June 23, 2014 10:04:35 AM
Subject: Re: [ovirt-users] Problem with reporting
Am 23.06.2014 08:58, schrieb Alon Bar-Lev:
>
>
> ----- Original Message -----
>> From: "Sven Kieske" <S.Kieske(a)mittwald.de>
>> To: users(a)ovirt.org
>> Sent: Monday, June 23, 2014 9:48:36 AM
>> Subject: Re: [ovirt-users] Problem with reporting
>>
>> This is somewhat..insecure.
>>
>> In which ovirt version was this changed to /var/lib, shouldn't this
>> qualify for an
>> cve entry? I didn't see any security notification coming up for this.
>
> why insecure?
>
> /var/lib/ovirt-engine is secure at the same level of /var/tmp/ovirt-engine
Please correct me if I'm wrong but on my CentOS 6.5 /var/tmp/ is world
writeable whereas /var/lib/ is not.
So any malicious content on this machine could modify the ovirt jboss
instance, or not?
/var/tmp as t attribute, just like /tmp.
and we create /var/tmp/ovirt-engine with specific permissions, see
/var/tmp/ovirt-engine/config/ for example.
the same structure will be moved to /var/lib/ovirt-engine/deployments or similar.
Alon