OpenStack Heat

cfn-init data/logs world readable

Bug #1100287 reported by Steven Hardy on 2013-01-16

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Heat	Fix Released	High	Steve Baker	OpenStack Heat 2013.1 "grizzly"
	Grizzly	Fix Released	High	Steve Baker	OpenStack Heat grizzly-3 "g3"

Bug Description

Currently the /var/log/heat-provision.log file, and related data files under /var/lib/cloud/data are world readable.

This means credentials/passwords provided to the instance via user-data are not secure, we should make these readable only by root.

Steven Hardy (shardy) on 2013-01-16

Changed in heat:
status:	New → Triaged
importance:	Undecided → Low
milestone:	none → grizzly-3

Steven Dake (sdake) on 2013-01-16

Changed in heat:
importance:	Low → High
assignee:	nobody → Steven Dake (sdake)

Revision history for this message

Steve Baker (steve-stevebaker) wrote on 2013-02-04:

I hope you don't mind if I take this, I'm poking around here at the moment.

Changed in heat:
assignee:	Steven Dake (sdake) → Steve Baker (steve-stevebaker)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-02-04: Fix proposed to heat (master)

Fix proposed to branch: master
Review: https://review.openstack.org/21149

Changed in heat:
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2013-02-12: Fix merged to heat (master)

Reviewed: https://review.openstack.org/21149
Committed: http://github.com/openstack/heat/commit/c598d0d3e81b0dbd46fe9239a49ffda16ced5378
Submitter: Jenkins
Branch: master

commit c598d0d3e81b0dbd46fe9239a49ffda16ced5378
Author: Steve Baker <email address hidden>
Date: Tue Feb 5 10:10:11 2013 +1300

Refactor loguserdata.py so it can be tested.

    - Use distutils.version.LooseVersion for cloud-init version check
    - Fix bug 1100287 by setting the following modes:
      - 0600 /var/log/heat-provision.log
      - 0700 /var/lib/heat
      - 0700 /var/lib/cloud/data/cfn-userdata (was 0111!)
    - Full test coverage except for where __name__ == '__main__'
    - File size has gone from 1218 bytes to 1636. If necessary we could reduce size in the future by using short names

This works for me when launching a template. At least if there are any regressions they can have a test written for the fix.
Change-Id: I04e773a743ec210e90394e50d2bb70c70664e80e

Changed in heat:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2013-02-21

Changed in heat:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2013-04-04

Changed in heat:
milestone:	grizzly-3 → 2013.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.