Nova configuration files ownership need restricting
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Cloud Controller Charm |
Triaged
|
Medium
|
Unassigned | ||
OpenStack Nova Compute Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
I've confirmed the issue exists in multiple environments (i.e. it's not an isolated case):
- OS: Xenial, Bionic
- OpenStack release: Queens
- Charm versions: nova-cloud-
The OpenStack security checklist
(https:/
recommendations for hardening a number of different OpenStack
services, including Keystone, Dashboard, Nova, Cinder, and Neutron.
Checklist item Check-Compute-01 ("Is user/group ownership of config files set to
root/nova?") on the Nova checklist
(https:/
fails.
The check requires "user and group ownership of all ... config files is set to root and nova respectively."
This is not the case:
$ juju run --application nova-cloud-
- Stderr: |
stat: cannot stat '/etc/nova/
Stdout: |
nova nova
nova nova
root root
nova nova
UnitId: nova-cloud-
<SNIP>
- Stderr: |
stat: cannot stat '/etc/nova/
Stdout: |
nova nova
nova nova
root root
nova nova
UnitId: nova-compute-kvm/0
<SNIP>
summary: |
- Nova configuration files permissions need restricting + Nova configuration files ownership need restricting |
tags: | added: field-critical |
Changed in charm-nova-cloud-controller: | |
importance: | Undecided → Medium |
Changed in charm-nova-compute: | |
importance: | Undecided → Medium |
Changed in charm-nova-cloud-controller: | |
status: | New → Triaged |
Changed in charm-nova-compute: | |
status: | New → Triaged |
tags: |
added: field-medium removed: field-critical |
Thanks for reporting! It feels more like a "medium" bug to me (as it's not blocking or breaking a deployment) but feel free to move it back up if I'm wrong.