insecure temp database

Question

insecure temp database

Closed this issue 12 years ago · 7 comments

datanommer uses /tmp/datanommer.db as default database and is enabled by default in Fedora 19. This might lead to security problems.

Answer 1 · 2013-08-25T16:14:29.000Z

Any idea what alternative we should use?

We could use postgres by default... too heavyweight.

Disable datanommer by default.. ?

Use a more secure location for the default sqlite db? Any recommendations on where that should be?

Answer 2 · 2013-08-25T16:36:09.000Z

It should be disabled by default and a good default location would be /var/lib/datanommer/datanommer.sqlite or similar.

Answer 3 · 2013-08-25T17:08:11.000Z

Since the current solution will be cleared is not persistent and will be removed on reboot, the in memory database might be a different option. Or datanommer could just refuse to start unless database was specified.

Answer 4 · 2013-08-25T17:09:05.000Z

btw. it also seems that datanommer will not even run out of the box, because there were tracebacks in the fedmsg-hub output when I accidently started it.

Answer 5 · 2013-08-25T17:58:34.000Z

Ah, can you file another issue with those tracebacks?

Answer 6 · 2013-08-26T13:18:17.000Z

@tyll, can you comment on #57 and confirm that that will do the trick?

Answer 7 · 2013-08-26T13:27:06.000Z

Here's an equivalent patch for rawhide - http://pkgs.fedoraproject.org/cgit/python-datanommer-models.git/commit/?id=6e34d1afd6e6bed8ca6e00036e78668292230889