Ubuntu
keystone package

[focal] /etc/keystone owned by root

Bug #1869132 reported by Frode Nordahl
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystone (Ubuntu)
Fix Released
High
Unassigned

Bug Description

root@juju-c9e7e0-4:/etc# dpkg -l keystone
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==============-============================================-============-====================================
ii keystone 2:17.0.0~b3~git2020032415.9f9040257-0ubuntu1 all OpenStack identity service - Daemons
root@juju-c9e7e0-4:/etc# ls -ld /etc
drwxr-xr-x 82 root root 154 Mar 26 06:51 /etc
root@juju-c9e7e0-4:/etc# ls -ld /etc/keystone
drwxr-x--- 3 root keystone 8 Mar 26 06:51 /etc/keystone
root@juju-c9e7e0-4:/etc# ls -l /etc/keystone
total 215
-rw-r----- 1 root keystone 2303 Mar 24 19:01 default_catalog.templates
-rw-r----- 1 root keystone 104730 Mar 24 19:02 keystone.conf
-rw-r----- 1 root keystone 96670 Mar 24 19:02 keystone.policy.yaml
-rw-r----- 1 root keystone 1046 Mar 24 19:02 logging.conf
drwxrwxr-x 2 keystone keystone 2 Mar 26 06:51 policy.d
-rw-r----- 1 root keystone 665 Mar 24 19:01 sso_callback_template.html
root@juju-c9e7e0-4:/etc#

Revision history for this message
Corey Bryant (corey.bryant) wrote :

This looks mostly correct with what we're doing via LP: #1859422, specifically:

find /etc/<pkg> -exec chown root:<pkg> "{}" +
find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

I think the /etc/keystone/policy.d directory is created by the charm and the permissions are very lenient but I think the 750 directory permissions should prevent "other" from accessing anything in /etc/keystone (should test that).

Revision history for this message
Frode Nordahl (fnordahl) wrote :

Example of charm deploy on focal not coping with the change in https://openstack-ci-reports.ubuntu.com/artifacts/test_charm_pipeline_func_smoke/openstack/charm-ceph-radosgw/714400/7/15452/index.html

Essentially the charm executes ``sudo -u keystone keystone-manage fernet_setup`` and that fails with Permission denied when it attempts to create a directory under /etc/keystone.

Revision history for this message
Corey Bryant (corey.bryant) wrote :

Ok the guidance for keystone is more strict. For keystone, /etc/ files/directories should be owned by keystone:keystone: https://docs.openstack.org/security-guide/identity/checklist.html

Changed in keystone (Ubuntu):
status: New → Triaged
importance: Undecided → High
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package keystone - 2:17.0.0~b3~git2020032415.9f9040257-0ubuntu2

---------------
keystone (2:17.0.0~b3~git2020032415.9f9040257-0ubuntu2) focal; urgency=medium

  * d/keystone-common.postinst: Set default ownership for /etc/<pkg>
    files/directories to keystone:keystone (LP: #1869132).

 -- Corey Bryant <email address hidden> Thu, 26 Mar 2020 11:48:38 -0400

Changed in keystone (Ubuntu):
status: Triaged → Fix Released
Revision history for this message
Corey Bryant (corey.bryant) wrote :

I should have said less strict in comment #3. Did this fix the issue @frode?

Revision history for this message
Frode Nordahl (fnordahl) wrote :

Yes, that resolved the issue, thank you @corey!

root@juju-ae56ef-0:~# dpkg -s keystone
Package: keystone
Status: install ok installed
Priority: extra
Section: python
Installed-Size: 31
Maintainer: Ubuntu Developers <email address hidden>
Architecture: all
Version: 2:17.0.0~b3~git2020032415.9f9040257-0ubuntu2

root@juju-ae56ef-0:~# ls -ld /etc/keystone/
drwxr-x--- 5 keystone keystone 11 Mar 27 13:32 /etc/keystone/
root@juju-ae56ef-0:~# ls -ld /etc/keystone/fernet-keys/
drwx------ 2 keystone keystone 4 Mar 27 13:32 /etc/keystone/fernet-keys/

$ juju status keystone
Model Controller Cloud/Region Version SLA Timestamp
default localhost-localhost localhost/localhost 2.7.4 unsupported 14:40:28+01:00

App Version Status Scale Charm Store Rev OS Notes
keystone 17.0.0~b3~gi... waiting 1 keystone jujucharms 489 ubuntu
mysql-router 8.0.19 waiting 1 mysql-router jujucharms 8 ubuntu

Unit Workload Agent Machine Public address Ports Message
keystone/0* waiting idle 0 10.219.3.82 5000/tcp Incomplete relations: database
  mysql-router/0* waiting idle 10.219.3.82 'db-router' incomplete, MySQL Router not yet bootstrapped

Machine State DNS Inst id Series AZ Message
0 started 10.219.3.82 juju-ae56ef-0 focal Running

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.