[ovirt-users] Problem with reporting
Alon Bar-Lev
alonbl at redhat.com
Mon Jun 23 07:17:58 UTC 2014
----- Original Message -----
> From: "Sven Kieske" <S.Kieske at mittwald.de>
> To: "Alon Bar-Lev" <alonbl at redhat.com>
> Cc: users at ovirt.org
> Sent: Monday, June 23, 2014 10:04:35 AM
> Subject: Re: [ovirt-users] Problem with reporting
>
>
>
> Am 23.06.2014 08:58, schrieb Alon Bar-Lev:
> >
> >
> > ----- Original Message -----
> >> From: "Sven Kieske" <S.Kieske at mittwald.de>
> >> To: users at ovirt.org
> >> Sent: Monday, June 23, 2014 9:48:36 AM
> >> Subject: Re: [ovirt-users] Problem with reporting
> >>
> >> This is somewhat..insecure.
> >>
> >> In which ovirt version was this changed to /var/lib, shouldn't this
> >> qualify for an
> >> cve entry? I didn't see any security notification coming up for this.
> >
> > why insecure?
> >
> > /var/lib/ovirt-engine is secure at the same level of /var/tmp/ovirt-engine
>
> Please correct me if I'm wrong but on my CentOS 6.5 /var/tmp/ is world
> writeable whereas /var/lib/ is not.
>
> So any malicious content on this machine could modify the ovirt jboss
> instance, or not?
/var/tmp as t attribute, just like /tmp.
and we create /var/tmp/ovirt-engine with specific permissions, see /var/tmp/ovirt-engine/config/ for example.
the same structure will be moved to /var/lib/ovirt-engine/deployments or similar.
Alon
More information about the Users
mailing list