Blob Blame Raw
From 7df9283b307c11134faf1135a6ced3839e8e0d20 Mon Sep 17 00:00:00 2001
From: Julius Milan <jmilan@redhat.com>
Date: Tue, 14 Nov 2017 16:13:58 +0100
Subject: [PATCH 03/22] reporter-bugzilla: read configuration from user's home

Problem was, that /etc/libreport/plugins/bugzilla.conf has read
permissions set also for others and passwords are stored there as
plain text.

As solution, bugzilla.conf can be newly placed in users home:
$HOME/.config/libreport/bugzilla.conf
where users can safely store their credentials, also credentials provided
on first run of reporter-bugzilla are stored there.

Added warning to /etc/libreport/plugins/bugzilla.conf for system admin
to be aware that file is readable by everyone and should not contain
confidential credentials.

Related to rhbz#1008994, rhbz#1008977
---
 src/include/internal_libreport.h | 3 +++
 src/plugins/bugzilla.conf        | 5 +++++
 src/plugins/reporter-bugzilla.c  | 8 ++++++++
 3 files changed, 16 insertions(+)

diff --git a/src/include/internal_libreport.h b/src/include/internal_libreport.h
index 1df4cba3..b3c7584b 100644
--- a/src/include/internal_libreport.h
+++ b/src/include/internal_libreport.h
@@ -89,6 +89,9 @@ int vdprintf(int d, const char *format, va_list ap);
 #define CREATE_PRIVATE_TICKET "ABRT_CREATE_PRIVATE_TICKET"
 #define STOP_ON_NOT_REPORTABLE "ABRT_STOP_ON_NOT_REPORTABLE"
 
+/* path of user's local config, path is relative to user's home */
+#define USER_HOME_CONFIG_PATH "/.config/libreport"
+
 /* Pull in entire public libreport API */
 #include "global_configuration.h"
 #include "dump_dir.h"
diff --git a/src/plugins/bugzilla.conf b/src/plugins/bugzilla.conf
index faa3ab2e..a7727392 100644
--- a/src/plugins/bugzilla.conf
+++ b/src/plugins/bugzilla.conf
@@ -1,7 +1,12 @@
+# NOTE this file is readable by everyone, do NOT store here sensitive data,
+# for such cases should be used config file in user's home,
+# i.e.: $HOME/.config/libreport/bugzilla.conf
+
 # Bugzilla URL, defaults to BUG_REPORT_URL from /etc/os-release
 # BugzillaURL = https://bugzilla.example.com/
 # yes means that ssl certificates will be checked
 SSLVerify = yes
+
 # your login has to exist, if you don't have any, please create one
 Login =
 # your password
diff --git a/src/plugins/reporter-bugzilla.c b/src/plugins/reporter-bugzilla.c
index 67ac4d11..1571b752 100644
--- a/src/plugins/reporter-bugzilla.c
+++ b/src/plugins/reporter-bugzilla.c
@@ -214,6 +214,7 @@ static
 void login(struct abrt_xmlrpc *client, struct bugzilla_struct *rhbz)
 {
     log_warning(_("Logging into Bugzilla at %s"), rhbz->b_bugzilla_url);
+
     while (!rhbz_login(client, rhbz->b_login, rhbz->b_password))
     {
         char *question;
@@ -281,9 +282,11 @@ int main(int argc, char **argv)
         "\nfiled. The default value is 'ABRT Server'"
         "\n"
         "\nIf not specified, CONFFILE defaults to "CONF_DIR"/plugins/bugzilla.conf"
+        "\nand user's local ~"USER_HOME_CONFIG_PATH"/bugzilla.conf."
         "\nIts lines should have 'PARAM = VALUE' format."
         "\nRecognized string parameters: BugzillaURL, Login, Password, OSRelease."
         "\nRecognized boolean parameter (VALUE should be 1/0, yes/no): SSLVerify."
+        "\nUser's local configuration overrides the system wide configuration."
         "\nParameters can be overridden via $Bugzilla_PARAM environment variables."
         "\n"
         "\nFMTFILE and FMTFILE2 default to "CONF_DIR"/plugins/bugzilla_format.conf"
@@ -357,7 +360,12 @@ int main(int argc, char **argv)
 
     {
         if (!conf_file)
+        {
             conf_file = g_list_append(conf_file, (char*) CONF_DIR"/plugins/bugzilla.conf");
+            char *local_conf = xasprintf("%s"USER_HOME_CONFIG_PATH"/bugzilla.conf", getenv("HOME"));
+            conf_file = g_list_append(conf_file, local_conf);
+            free(local_conf);
+        }
         while (conf_file)
         {
             char *fn = (char *)conf_file->data;
-- 
2.14.3