search

voxpupuli / puppet-redis

Puppet Module to manage Redis
https://forge.puppet.com/puppet/redis
Apache License 2.0
40 stars 183 forks source link

redis.conf is readable by all #425

Closed jnguiot closed 3 years ago

jnguiot commented 3 years ago

Affected Puppet, Ruby, OS and module versions/distributions

How to reproduce (e.g Puppet code you use)

Install a Redis using default conf with a password

class{"redis":
    requirepass => "foo",
}

What are you seeing

The file /etc/redis/redis.conf which contains the password is readable by all users. Thus, it is trivial to a local unauthorized user to connect to the protected db.

What behaviour did you expect instead

The file /etc/redis/redis.conf should be readable only by redis user and its group.

Output log

N/A

Any additional information you'd like to impart

I would advocate setting the config_file_mode to 640 (see https://github.com/voxpupuli/puppet-redis/blob/3f7ecdd69061be0436c04c1dc9df8c20d884ea5f/manifests/init.pp#L276 ) It has an easy workaround (just set manually the config_file_mode ), however, since I assume a lot of instance are using default, I would think the more secure value should be the default. Plus 640 is the default redis mode for the package.

root-expert commented 3 years ago

Hello @jnguiot thanks for bringing this up. Are you able to provide a PR to fix this issue?

jnguiot commented 3 years ago

Are you able to provide a PR to fix this issue?

Of course. Done in PR #427 (yep, that's a short one :smile: )