Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

StackStorm credentials leak from '~/.st2/config' #558

Open
arm4b opened this issue May 24, 2018 · 1 comment · May be fixed by #563
Open

StackStorm credentials leak from '~/.st2/config' #558

arm4b opened this issue May 24, 2018 · 1 comment · May be fixed by #563
Labels
bash installer bug security

Comments

@arm4b
Copy link
Member

arm4b commented May 24, 2018
edited
Loading

curl|bash installer creates a ~/.st2/config file containing StackStorm login creds with read-all permissions:

$ ls -la ~/.st2/config 
-rw-r--r-- 1 vagrant vagrant 54 May 23 14:09 /home/vagrant/.st2/config

This way unauthorized Linux user can read st2 login creds username:password saved by the other user.

Ideally, ~/.st2/ dir should have also 2750 permissions, (currently 0755), - that part could be addressed in StackStorm/st2 core itself.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bash installer bug security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix configuration directory and file permissions StackStorm/st2-packages
2 participants
@Kami @arm4b