There are several files with sensitive credential ...

Report Inappropriate Content · 08-28-2016 11:28 PM

There are several files with sensitive credential and configuration data on the Management Server which are accessible by all unix users on this system. Users without additional rights might access the data and e.g. brute force the credentials for the cassandra backend user.

ascsac:apigee:/var/SP/apigee $ ll /opt/apigee/customer/conf/license.txt
-rw-r--r--. 1 apigee apigee 349 Jul 13 16:45 /opt/apigee/customer/conf/license.txt

ascsac:apigee:/var/SP/apigee $ ll /opt/apigee/edge-management-server/conf/cassandra.properties
-rw-rw-r--. 1 apigee apigee 69 Aug 4 15:30 /opt/apigee/edge-management-server/conf/cassandra.properties

ascsac:apigee:/var/SP/apigee $ ll /opt/SP/apigee/edge-ui-4.16.01-0.0.3654/conf/apigee.conf
-rw-rw-r--. 1 apigee apigee 1997 Aug 15 17:54 /opt/SP/apigee/edge-ui-4.16.01-0.0.3654/conf/apigee.conf

will be there impact on Apigee UI if we chmod 640 these files ?

Report Inappropriate Content

What would you be achieving doing that? Users can still view the file.

You could try enabling sticky bit to avoid modification by anyone and then change it to 400. Most of the config files with a 400 work just fine. This way you ensure that nobody can modify the file at the very least

Report Inappropriate Content

The fix for this is to change the ownership of the source files. i.e change ownership of /opt/apigee/edge-management-server/source/conf/cassandra.properties instead of /opt/apigee/edge-management-server/conf/cassandra.properties.

For license.txt, you can change it directly.

While changing the ownership please make sure the file is owned by the user who is running the mgmt process ( by default this user is apigee)