Nova configuration files ownership need restricting
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Nova Cloud Controller Charm |
Triaged
|
Medium
|
Unassigned | ||
| OpenStack Nova Compute Charm |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
I've confirmed the issue exists in multiple environments (i.e. it's not an isolated case):
- OS: Xenial, Bionic
- OpenStack release: Queens
- Charm versions: nova-cloud-
The OpenStack security checklist
(https:/
recommendations for hardening a number of different OpenStack
services, including Keystone, Dashboard, Nova, Cinder, and Neutron.
Checklist item Check-Compute-01 ("Is user/group ownership of config files set to
root/nova?") on the Nova checklist
(https:/
fails.
The check requires "user and group ownership of all ... config files is set to root and nova respectively."
This is not the case:
$ juju run --application nova-cloud-
- Stderr: |
stat: cannot stat '/etc/nova/
Stdout: |
nova nova
nova nova
root root
nova nova
UnitId: nova-cloud-
<SNIP>
- Stderr: |
stat: cannot stat '/etc/nova/
Stdout: |
nova nova
nova nova
root root
nova nova
UnitId: nova-compute-kvm/0
<SNIP>
| summary: |
- Nova configuration files permissions need restricting + Nova configuration files ownership need restricting |
| tags: | added: field-critical |
| Changed in charm-nova-cloud-controller: | |
| importance: | Undecided → Medium |
| Changed in charm-nova-compute: | |
| importance: | Undecided → Medium |
| Changed in charm-nova-cloud-controller: | |
| status: | New → Triaged |
| Changed in charm-nova-compute: | |
| status: | New → Triaged |
| tags: |
added: field-medium removed: field-critical |
| Aurelien Lourot (aurelien-lourot) wrote | #1 |
| Corey Bryant (corey.bryant) wrote | #2 |
Thanks for reporting! It feels more like a "medium" bug to me (as it's not blocking or breaking a deployment) but feel free to move it back up if I'm wrong.