History | Log In     View a printable version of the current page.  
   HOME       BROWSE PROJECT       FIND ISSUES   
    QUICK SEARCH:  
Issue Details (XML | Word | Printable)

Key: JM-1231
Type: Bug Bug
Status: Closed Closed
Resolution: Fixed
Priority: Major Major
Assignee: Daniel Henninger
Reporter: Daniel Henninger
Votes: 1
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
Openfire

Logs should not be world readable

Created: 12/28/07 10:41 AM   Updated: 01/10/08 05:45 PM
Component/s: Core
Affects Version/s: None
Fix Version/s: 3.4.4

Time Tracking:
Not Specified

File Attachments: 1. Text File deb_installation.log (2 kb)
Environment: Unix based installs at a minimum

Support Plan Customer Issue: No
Resolution Date: 01/10/08 05:45 PM
Acceptance Test - Add?: No


 Description  « Hide
The log directory should not be world readable. This could post a security concern if you allow untrusted people to log into your server or access your file system on the server in some way. Why you would do that I do not know, but we should use proper permissions none-the-less.

 All   Comments   Work Log   Change History   Subversion Commits      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Daniel Henninger - 01/03/08 02:12 PM
Looking over this a bit, there's more that shouldn't be world readable. Really openfire's home directory shouldn't be world readable. In theory someone getting on the machine could easily cd to /opt/openfire/conf and look at your ldap password info or database info. Could go into /opt/openfire/enterprise and 'borrow' your license. Could go into /opt/openfire/resources/security and borrow your keystores and such. None of these are good.

[ Permlink | « Hide ]
Daniel Henninger - 01/03/08 08:53 PM
So.. things to check:
  • Solaris package
  • RPM package
  • DEB package
  • Mac package

[ Permlink | « Hide ]
Daniel Henninger - 01/03/08 09:08 PM
RPM, check.

[ Permlink | « Hide ]
Daniel Henninger - 01/03/08 09:13 PM
Debian, check.

[ Permlink | « Hide ]
Daniel Henninger - 01/03/08 09:16 PM
Solaris and Mac, check.

[ Permlink | « Hide ]
Daniel Henninger - 01/03/08 09:36 PM
Enterprise, check. Done.

[ Permlink | « Hide ]
Francisco Vives - 01/09/08 08:23 AM
There was an error installing the .deb on debian. The package requires sun-java5-jre but it was installed sun-java6-jre. The package may check for sun-java6-jre | sun-java5-jre. Attached is the installation log deb_installation.log.

After installing the RPM in a Fedora environment, openfire couldn't write the output log because of permission denied.
Powered by a free Atlassian JIRA open source license for igniterealtime.org. Try JIRA - bug tracking software for your team.
Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.12.2-#300) - Bug/feature request - Atlassian news - Contact Administrators