OpenStack-Ansible

nova-secret world readable

Bug #1519088 reported by Bjoern on 2015-11-23

256

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack-Ansible	Fix Released	Medium	Bjoern	OpenStack-Ansible mitaka-2
Kilo	Fix Released	Medium	Jesse Pretorius	OpenStack-Ansible 11.2.7
Liberty	Fix Released	Medium	Jesse Pretorius	OpenStack-Ansible 12.0.3
Trunk	Fix Released	Medium	Bjoern	OpenStack-Ansible mitaka-2

Bug Description

Whenever the ceph_client | Define libvirt nova secret task fail, it leaves a nova-secret file behind with open permissions.
At the very least I would limit read access to root only so no one can snoop the client.cinder secret.
The permissions currently rolled out are 644 and should be set to 600

Bjoern (bjoern-t) on 2015-11-23

Changed in openstack-ansible:
assignee:	nobody → Bjoern Teipel (bjoern-teipel)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-11-23: Fix proposed to openstack-ansible (master)

Fix proposed to branch: master
Review: https://review.openstack.org/248904

Jesse Pretorius (jesse-pretorius) on 2015-11-24

Changed in openstack-ansible:
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-04: Fix merged to openstack-ansible (master)

Reviewed: https://review.openstack.org/248904
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=eca0f5ddfba5ac12fc0199d854b3f18504f9ccd3
Submitter: Jenkins
Branch: master

commit eca0f5ddfba5ac12fc0199d854b3f18504f9ccd3
Author: Bjoern Teipel <email address hidden>
Date: Mon Nov 23 14:42:47 2015 -0600

Creating nova-secret with safe file permissions

This fix will make sure that the nova-secret file will
be created with save "0600" (r--) permissions.

    Additionally a new task will make sure that the file is removed
    from the filesystem. This will minimize any unprivileged exposure
    to the nova-secret file content.

Change-Id: I1c3ec322b2a661cf7dce0334866c90201bbef0a0
Closes-Bug: #1519088

Changed in openstack-ansible:
status:	In Progress → Fix Released

Dolph Mathews (dolph) on 2015-12-04

information type:

Public → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-04: Fix proposed to openstack-ansible (liberty)

Fix proposed to branch: liberty
Review: https://review.openstack.org/253375

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-04: Fix proposed to openstack-ansible (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/253377

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-04: Fix merged to openstack-ansible (kilo)

Reviewed: https://review.openstack.org/253377
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=7d57e18b5f2c5f40aa8edc2f4a3bb323a8be631b
Submitter: Jenkins
Branch: kilo

commit 7d57e18b5f2c5f40aa8edc2f4a3bb323a8be631b
Author: Bjoern Teipel <email address hidden>
Date: Mon Nov 23 14:42:47 2015 -0600

Creating nova-secret with safe file permissions

This fix will make sure that the nova-secret file will
be created with save "0600" (r--) permissions.

    Additionally a new task will make sure that the file is removed
    from the filesystem. This will minimize any unprivileged exposure
    to the nova-secret file content.

    Change-Id: I1c3ec322b2a661cf7dce0334866c90201bbef0a0
    Closes-Bug: #1519088
    (cherry picked from commit eca0f5ddfba5ac12fc0199d854b3f18504f9ccd3)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-12-07: Fix merged to openstack-ansible (liberty)

Reviewed: https://review.openstack.org/253375
Committed: https://git.openstack.org/cgit/openstack/openstack-ansible/commit/?id=1401062e38884d097241d7562e0053df9363c60f
Submitter: Jenkins
Branch: liberty

commit 1401062e38884d097241d7562e0053df9363c60f
Author: Bjoern Teipel <email address hidden>
Date: Mon Nov 23 14:42:47 2015 -0600

Creating nova-secret with safe file permissions

This fix will make sure that the nova-secret file will
be created with save "0600" (r--) permissions.

    Additionally a new task will make sure that the file is removed
    from the filesystem. This will minimize any unprivileged exposure
    to the nova-secret file content.

    Change-Id: I1c3ec322b2a661cf7dce0334866c90201bbef0a0
    Closes-Bug: #1519088
    (cherry picked from commit eca0f5ddfba5ac12fc0199d854b3f18504f9ccd3)

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-03-18: Fix included in openstack/openstack-ansible 11.2.11

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-03-18: Fix included in openstack/openstack-ansible 12.0.8

This issue was fixed in the openstack/openstack-ansible 12.0.8 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-03-25: Fix included in openstack/openstack-ansible 11.2.12

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-03-30: Fix included in openstack/openstack-ansible 12.0.9

#10

This issue was fixed in the openstack/openstack-ansible 12.0.9 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-04-01: Fix included in openstack/openstack-ansible 13.0.0

#11

This issue was fixed in the openstack/openstack-ansible 13.0.0 release.

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-04-18:

#12

This issue was fixed in the openstack/openstack-ansible 13.0.0 release.

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-05-03: Fix included in openstack/openstack-ansible 12.0.11

#13

This issue was fixed in the openstack/openstack-ansible 12.0.11 release.

Revision history for this message

Davanum Srinivas (DIMS) (dims-v) wrote on 2016-05-03: Fix included in openstack/openstack-ansible 11.2.14

#14

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-05-05: Fix included in openstack/openstack-ansible 11.2.15

#15

This issue was fixed in the openstack/openstack-ansible 11.2.15 release.

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.