security: set default umask for service to 0027
Bug #1859412 reported by
James Page
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openstack-pkg-tools (Ubuntu) |
Fix Released
|
High
|
Unassigned | ||
Focal |
Fix Released
|
High
|
Unassigned |
Bug Description
OpenStack services have no way to specify the permissions on log files created; standards such as CIS set a default umask of 0027 however that is not applied to units running under systemd.
This means that log files (and any other files or directories created by a daemon) will have global read permissions by default.
As the systemd unit files are templated, we can update this fairly easily for openstack services by adding the UMask=0027 directive to the core template.
Changed in openstack-pkg-tools (Ubuntu Focal): | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.
I've uploaded new openstack-pkg-tools to focal with this change in place - reverse-depends will need a rebuild to pickup the new template.