security: set default umask for service to 0027
Bug #1859412 reported by
James Page
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| openstack-pkg-tools (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
| Focal |
Fix Released
|
High
|
Unassigned | ||
Bug Description
OpenStack services have no way to specify the permissions on log files created; standards such as CIS set a default umask of 0027 however that is not applied to units running under systemd.
This means that log files (and any other files or directories created by a daemon) will have global read permissions by default.
As the systemd unit files are templated, we can update this fairly easily for openstack services by adding the UMask=0027 directive to the core template.
Revision history for this message
| James Page (james-page) wrote | #1 |
| Changed in openstack-pkg-tools (Ubuntu Focal): | |
| status: | New → Fix Committed |
| importance: | Undecided → High |
| Changed in openstack-pkg-tools (Ubuntu Focal): | |
| status: | Fix Committed → Fix Released |
To post a comment you must log in.
I've uploaded new openstack-pkg-tools to focal with this change in place - reverse-depends will need a rebuild to pickup the new template.