Weak .st2 config file permissions allow reading st2 creds by other Linux users

[arm4b]

st2 login -w creates ~/.st2/config file with r-o permissions, meaning that unauthorized linux user can read that file and obtain st2 login credentials:

$ rm -rf ~/.st2
$ st2 login st2admin -p Ch@ngeMe -w

$ ls -la ~/.st2
total 16
drwxrwxr-x 2 vagrant vagrant 4096 May 24 14:59 .
drwxr-xr-x 8 vagrant vagrant 4096 May 24 14:59 ..
-rw-rw-r-- 1 vagrant vagrant   55 May 24 14:59 config
-rw------- 1 vagrant vagrant   77 May 24 14:59 token-st2admin

Additionally, ~/.st2/ dir permissions when created might be adjusted (currently 0755).
Adding setgid for st2 config dir will help to better handle sudo st2 cases when config or token file is created with root permissions (see StackStorm/packer-st2#38 for example).

Wrap Up

• ~/.st2/ dir when created by st2 should have 2770 permissions (currently 0755)
• ~/.st2/config when created by st2 should have 660 permissions (currently 664)
• ~/.st2/token when created by st2 should have 660 permissions (currently 640)

Related

StackStorm/st2-packages#558 and StackStorm/packer-st2#38

[nmaludy]

Any changes needed on the ansible-st2 or puppet-st2 side?

[arm4b]

No, correct permissions should be initially enforced by st2 core (in fact st2client), since st2 login is responsible for st2 config creation (including ~/.st2/ dir).