Ubuntu
keystone package

Package installs files with loose permissions

Bug #1820992 reported by Chris MacNaughton
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Keystone Charm
Invalid
Undecided
Unassigned
keystone (Ubuntu)
Invalid
High
Unassigned

Bug Description

The OpenStack Security Guide [1] suggests that the listed files should have permissions of 640 (or tighter), below are files delivered via the package that differ from that recommendation:

- /etc/keystone/keystone.conf
- /etc/keystone/keystone-paste.ini
- /etc/keystone/logging.conf

[1]: https://docs.openstack.org/security-guide/identity/checklist.html#check-identity-02-are-strict-permissions-set-for-identity-configuration-files

This is on a fresh Bionic (Queens) package

Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

It is also recommended that the files be owned by keystone:keystone rather than root:root

Revision history for this message
Corey Bryant (corey.bryant) wrote :

I believe this needs fixing across all package versions. It exists for stein:

root@d1:~# ls -al /etc/keystone
total 72
drwxr-xr-x 2 root root 7 Mar 20 14:49 .
drwxr-xr-x 86 root root 174 Mar 20 14:49 ..
-rw-r--r-- 1 root root 2303 Apr 28 2017 default_catalog.templates
-rw-r--r-- 1 root root 109578 Mar 19 11:26 keystone.conf
-rw-r--r-- 1 root root 81504 Mar 19 11:26 keystone.policy.yaml
-rw-r--r-- 1 root root 1046 Mar 19 11:26 logging.conf
-rw-r--r-- 1 root root 665 Apr 28 2017 sso_callback_template.html

As part of this bug we should also audit all of our core openstack packages to make sure they have the right permissions. I made a pass on several during this cycle but must have missed keystone somehow.

Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

For reference, most service should be:

-rw-r----- root:$SERVICE (640)

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Here's an example of recent changes to designate to fix that up:

https://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/designate/commit/?id=43ef5068e7a3e6ab831e7dfce15a69bcbeb89002

Note that sets /etc/desigate to 750 root:designate which should allow for config files in that directory to get default 644 permissions.

Changed in keystone (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Chris MacNaughton (chris.macnaughton) wrote :

It looks like the package does install the /etc/keystone directory as 750 so I'm marking this as invalid

Changed in charm-keystone:
status: New → Invalid
Changed in keystone (Ubuntu):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.