Passwords (root or other) should never be saved in a temp file or any other file unsecured

Hi,

I noticed that during the config process the root password is saved in the answer file in the /tmp folder. This is a security issue as the root password should never be saved in unsecured format in any file. Since the admin knows the root pw, then kaltura should remove it from that file with a replacement text that says root pw removed for security.

This should also reply to the admin console password as well. Also username as this would give anyone who looked at that file half of the security cover.

You already have a message on the config about the answer file, their should be a message in red about removing that file(s) from the temp dir either by deleting it or downloading it to a safe place offline and then deleting it.

I hope that during development there is someone in the loop that their job is to watch for items such as this and help prevent it before it is released to the public.

Hello,

You’ll notice these files are permissioned with root.root and 600, therefore, only root can read them. Since the root user can log into to MySQL, or anything else for that matter, without needing any credentials, this is not a security risk.
That said, you are free to remove the /tmp/kalt.ans from the disk post installation, they are only created for your convenience so that, when upgrading or reconfiguring, you won’t have to reinput all the answers manually, they are not needed for the system’s day to day operation.

Thanks,

Thanks for the quick reply, i do understand the permission on the files is 600 and that is a good thing. However my point is that never should a root password or admin password be recorded in this fashion regardless of what software it is. It is a very bad habbit to assume that the installer knows their data is stored in this fashion and assuming they have the knowledge and experience to know what to do with it in order to secure it.

There is no mention of what is in the file in the message during config process or that it needs to be secured in a safe place, it just says to save the file. Well what if they save the file to root or some other place where it should not be, yes they should look to see what is in the file and remove the data, but again software developers are assuming too much about the user and this is why the rule is that passwords especially root should never ever be stored in this way.

Thats alot like saying put the keys to your car above the visor but not advising the user of the potential risk of doing that. Not everyone that uses this software is a network admin or proficient enough to know these kinds of things. The fact that its there and may be just sitting in that folder for awhile or saved on the server somewhere leaves the door open for someone to go looking for it.

I understand that if someone can get to the file then the system has bigger issues to deal with but what the software is doing is making it easier for them to get the information they need and providing a easier way to get it.

Its backwards thinking to say its secured under 600 permission so we can put whatever we want in the file, that information should never ever be in a file regardless in any format, this just gives malicious people another reason or incentive to attack a system.

If an admin wants to use the file to do a cluster or whatever then they can put the data back in for that run only. But having it just sitting out there on the server is not a good idea at all IMO.

I think that kaltura software is good stuff and i know the market is in need of such a software however doing things like this IMO may give the impression to someone that kaltura is not security concious in everything they do which im sure is not the case.

Hello,

While I appreciate the feedback and encourage open discussion about anything, this included, I must say I disagree and I’ll explain why:
The message, IMHO, does explain what the file is, it says “This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster.” If you feel that is not clear enough, I am certainly willing to hear suggestions for a better phrasing.

In regards to the permissions, the person installing does not need to secure anything, the file is already permissioned with 600 root.root and so, unless you are root, you cannot read it. If you are root, you don’t need it. You can launch your MySQL daemon using:

# mysqld_safe --skip-grant-tables

And MySQL will be let you login and be the super user without prompting for a passwd.

Also, and this is true to any system that uses a DB, Kaltura, Wordpress, Drupal, whatever, the DB user and passwd must be kept in a file that is accessible to the system, meaning the apache user [or any other web server you use] MUST have at least read permissions to the file and in some cases, even write permissions to facilitate editing it from the web I/F, something I personally find to be bad practice but security is often scarified in the name of convenience.

You can use keys for DB login instead of passwords, of course but in that case, again, the key MUST be in a file readable to the webserver user or whatever user runs the code.

And so, there is no way around keeping passwds in files, the important part is to grant permissions very sporadically and only to those who really need them, which is what we do.

Note also that the Kaltura installation only uses the root passwd in order to create a ‘kaltura’ DB user which ONLY has admin privileges on Kaltura related DBs.

Hope this helps clarify things,

Thanks for the clarification and yes your not the only one i stand corrected on that. I know that even CPanel stores the root password in a file above the public_html in the same format and this too i dont like. I guess you are correct in that there is no way of getting around it. In many ways and with many applications on the market it may not be the best thing but “it is what it is” in todays way of doing things. I will never think its OK but ill have to live with how things are done just like everyone else i guess.

Regarding the message in the config process on the answer file.

Instead of just “This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster.”

How about something like

“This answers file can be used to silently-install re-install this machine or deploy other hosts in your cluster. (red text) Providing this feature means that sensitive data must be stored in this file. (end red text) It is important that if you wish to save this file that you do so in a security conscious way. The safest way is to save the file offline in a secured environment. However if you choose to save it on the server just be sure to apply the same 600 permission to the file and/or folder itself as root:root in order to provide proper security for the data. Also we recommend that you remove all the answer files (kalt.ans) from the /tmp directory.”

Hows that? And also add something like this to the install docs as well…