vSphere CPI bundler is creating directories in Ops Man that are world writable and do not have the sticky bit set

[eoghank]

Describe the bug When the vSphere CPI is called to deploy BOSH Director it creates folders here in Ops Man that are world writable and do not have the sticky bit set (/tmp/bundler/home). This is a concern for security teams and our stemcell hardening guides do state that we try to limit world writable directories

To Reproduce Steps to reproduce the behavior:

1. Setup Ops Man on vSphere
2. Configure BOSH Director and Apply Changes
3. Look for the following folders in Ops Man that are created by the CPI: /tmp/bundler/home

Expected behavior Security teams expect that any world writable directories are either removed or have the sticky bit set Screenshots

Release Version & Related Info (please complete the following information):

• Ops Man 2.5
• vCenter Version 6.7

[labrown]

+1 for support on this issue. Please address it as soon as possible.

[ktchen14]

I suspect that this is from these lines in cpi.erb:

export HOME=~

export BUNDLE_GEMFILE=$BOSH_PACKAGES_DIR/vsphere_cpi/Gemfile
bundle_cmd="${BOSH_PACKAGES_DIR}/ruby-2.4-r4/bin/bundle"

exec $bundle_cmd exec $BOSH_PACKAGES_DIR/vsphere_cpi/bin/vsphere_cpi \
  $BOSH_JOBS_DIR/vsphere_cpi/config/cpi.json

That export HOME=~ line looks extraneous. What's the home directory when Ops Manager is invoking the CPI to deploy the BOSH director?

[labrown]

This directory also turns up on the BOSH Director as well.

[EleanorRigby]

245