[Secure-testing-team] Bug#870271: zookeeper: insecure permissions of /var/lib/zookeeper
Christoph Anton Mitterer
calestyo at scientia.net
Mon Jul 31 13:03:40 UTC 2017
Source: zookeeper
Severity: grave
Tags: security
Justification: user security hole
Hi.
It seems there is a grave permission issue in the zookeeper package,
namely that /var/lib/zookeeper is created world-readable.
Since ZK creates its files word-readable as well, any user on the system
can extract any data stored with ZK, which can easily contain very
sensitive information on the clustered system relying on ZK.
Cheers,
Chris.
More information about the Secure-testing-team
mailing list