[focal] /etc/keystone owned by root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystone (Ubuntu) |
Fix Released
|
High
|
Unassigned |
Bug Description
root@juju-
Desired=
| Status=
|/ Err?=(none)
||/ Name Version Architecture Description
+++-===
ii keystone 2:17.0.
root@juju-
drwxr-xr-x 82 root root 154 Mar 26 06:51 /etc
root@juju-
drwxr-x--- 3 root keystone 8 Mar 26 06:51 /etc/keystone
root@juju-
total 215
-rw-r----- 1 root keystone 2303 Mar 24 19:01 default_
-rw-r----- 1 root keystone 104730 Mar 24 19:02 keystone.conf
-rw-r----- 1 root keystone 96670 Mar 24 19:02 keystone.
-rw-r----- 1 root keystone 1046 Mar 24 19:02 logging.conf
drwxrwxr-x 2 keystone keystone 2 Mar 26 06:51 policy.d
-rw-r----- 1 root keystone 665 Mar 24 19:01 sso_callback_
root@juju-
This looks mostly correct with what we're doing via LP: #1859422, specifically:
find /etc/<pkg> -exec chown root:<pkg> "{}" +
find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
I think the /etc/keystone/ policy. d directory is created by the charm and the permissions are very lenient but I think the 750 directory permissions should prevent "other" from accessing anything in /etc/keystone (should test that).