----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: "Alon Bar-Lev" <alonbl@redhat.com> Cc: users@ovirt.org Sent: Monday, June 23, 2014 10:04:35 AM Subject: Re: [ovirt-users] Problem with reporting
Am 23.06.2014 08:58, schrieb Alon Bar-Lev:
----- Original Message -----
From: "Sven Kieske" <S.Kieske@mittwald.de> To: users@ovirt.org Sent: Monday, June 23, 2014 9:48:36 AM Subject: Re: [ovirt-users] Problem with reporting
This is somewhat..insecure.
In which ovirt version was this changed to /var/lib, shouldn't this qualify for an cve entry? I didn't see any security notification coming up for this.
why insecure?
/var/lib/ovirt-engine is secure at the same level of /var/tmp/ovirt-engine
Please correct me if I'm wrong but on my CentOS 6.5 /var/tmp/ is world writeable whereas /var/lib/ is not.
So any malicious content on this machine could modify the ovirt jboss instance, or not?
/var/tmp as t attribute, just like /tmp. and we create /var/tmp/ovirt-engine with specific permissions, see /var/tmp/ovirt-engine/config/ for example. the same structure will be moved to /var/lib/ovirt-engine/deployments or similar. Alon