Summary

When deploying the grafana-agent charm (revision 223) it writes /etc/grafana-agent.yaml to the file system and makes the file world readable (it sets permissions to 0644). The file contains Prometheus scrape configuration which will potentially includes HTTP basic auth information, including passwords in order to access the configured service endpoint.

Keeping the file world readable allows any user on the system to access /etc/grafana-agent.yaml and extract HTTP basic auth information.

Details

The file is written from here and the actual write operation is implemented here. The simple with open(path, "w") as f: will default to 0644 for the target file. Other files, e.g. certificates and their keys written by write_file might be affected as well, but I haven't expored this further yet.

PoC

1. Deploy grafana-agent: $ juju deploy grafana-agent
2. Related to any other application, e.g. $ juju reate grafana-agent:cos-agent ams:cos-agent
3. Check permissions of /etc/grafana-agent.yaml on the machine grafana-agent is deployed on

Impact

An arbitrary user having access to the machine grafana-agent is deployed on can extract password information for other services grafana-agent is meant to scrape for metrics.