Openbravo Issue Tracking System - Openbravo ERP |
| View Issue Details |
|
| ID | Project | Category | View Status | Date Submitted | Last Update |
| 0013405 | Openbravo ERP | C. Security | public | 2010-05-21 04:29 | 2010-08-19 00:00 |
|
| Reporter | gboyce | |
| Assigned To | jpabloae | |
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | |
| Platform | | OS | 20 | OS Version | Professional Appliance |
| Product Version | | |
| Target Version | | Fixed in Version | 2.50MP21 | |
| Merge Request Status | |
| Review Assigned To | |
| OBNetwork customer | No |
| Web browser | |
| Modules | Core |
| Support ticket | |
| Regression level | |
| Regression date | |
| Regression introduced in release | |
| Regression introduced by commit | |
| Triggers an Emergency Pack | No |
|
| Summary | 0013405: Swap is world readable on the OpenBravo Appliance |
| Description | Sorry if I filed this against the wrong component, but this is a bug against the virtual appliance for OpenBravo, not the OpenBravo code itself.
While trying out the OpenBravo appliance for VirtualBox (OpenbravoERP-2.50MP17-x86.virtualbox.vdi), I noticed that the system uses /var/swap as a swap file. This swap file has group/world readable permissions, allowing any local users to access the memory of swapped out processes.
Not too serious if there are no additional local users, but it can be dangerous if limited access login accounts are allowed on the system. |
| Steps To Reproduce | [openbravo@new-host-2 ~]$ ls -l /var/swap
-rw-r--r-- 1 root root 134217728 2010-05-13 05:40 /var/swap
|
| Proposed Solution | chmod 600 /var/swap |
| Additional Information | |
| Tags | No tags attached. |
| Relationships | |
| Attached Files | |
|
| Issue History |
| Date Modified | Username | Field | Change |
| 2010-05-21 04:29 | gboyce | New Issue | |
| 2010-05-21 04:29 | gboyce | Assigned To | => alostale |
| 2010-05-24 08:40 | alostale | Assigned To | alostale => jpabloae |
| 2010-05-24 08:40 | alostale | Status | new => scheduled |
| 2010-05-24 08:40 | alostale | fix_in_branch | => pi |
| 2010-06-01 18:28 | jpabloae | Status | scheduled => acknowledged |
| 2010-06-01 18:41 | jpabloae | Status | acknowledged => scheduled |
| 2010-06-01 18:41 | jpabloae | Note Added: 0027871 | |
| 2010-07-30 17:26 | jpabloae | Note Added: 0029715 | |
| 2010-07-30 17:26 | jpabloae | Status | scheduled => resolved |
| 2010-07-30 17:26 | jpabloae | Fixed in Version | => 2.50MP21 |
| 2010-07-30 17:26 | jpabloae | Fixed in SCM revision | => n/a |
| 2010-07-30 17:26 | jpabloae | Resolution | open => fixed |
| 2010-08-18 14:16 | psarobe | Status | resolved => closed |
| 2010-08-19 00:00 | anonymous | sf_bug_id | 0 => 3048127 |