Hi all, The setup code of ovirt releases 3.2 and older set wrong permissions for several files, depending on options chosen during setup/upgrade. The potentially-affected files are: /etc/sysconfig/nfs /etc/sysconfig/iptables /etc/httpd/conf/httpd.conf.BACKUP* /etc/httpd/conf.d/ssl.conf.BACKUP* files under the ISO domain copied there by setup, by default under /var/lib/exports The bug does not affect systems with linux kernels older than 3.1, which included undocumented behavior that prevented it from occurring. Here is a link to the kernel patch that dropped this undocumented behavior: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/... In practice this means that among the distributions supported by ovirt, only ovirt on Fedora is affected. ovirt 3.3 is not affected as-is. Systems upgraded from 3.2 might still have the files with wrong permissions, and should follow the actions below. How to fix an existing system? Change the permissions of existing files by running the following commands as root: chmod 600 /etc/sysconfig/nfs chmod 600 /etc/sysconfig/iptables chmod 600 /etc/httpd/conf/httpd.conf.BACKUP* chmod 600 /etc/httpd/conf.d/ssl.conf.BACKUP* find /var/lib/exports -perm /002 -type f -exec chmod 600 {} \; For the last command, replace "/var/lib/exports" with the appropriate directory, if you did not accept the default during setup and configured another directory to hold the ISO domain. A fix for this bug was pushed to gerrit: http://gerrit.ovirt.org/19557 Security implications: This bug allows local users escalate their privileges by editing /etc/sysconfig/nfs and waiting until the nfs service will be started/stopped (e.g. a reboot of the machine). -- Didi