admin-openrc.sh is world readable
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla-ansible |
Fix Released
|
High
|
Radosław Piliszek | ||
Stein |
Fix Released
|
High
|
Mark Goddard | ||
Train |
Fix Released
|
High
|
Mark Goddard | ||
Ussuri |
Fix Released
|
High
|
Radosław Piliszek | ||
Victoria |
Fix Released
|
High
|
Radosław Piliszek |
Bug Description
The kolla-ansible post-deploy command creates a file called admin-openrc.sh in same directory as globals.yml (/etc/kolla by default) on localhost. This script exports environment variables which may be used to access the cloud as the admin user in the admin project, and as such is very sensitive.
Currently, the task that creates the file does so with become=true, and without specifying a mode:
- name: Creating admin openrc file on the deploy node
hosts: localhost
become: true
tasks:
- name: Template out admin-openrc.sh
template:
src: "roles/
dest: "{{ node_config }}/admin-openrc.sh"
With ansible!
-rw-r--r--. 1 root root 549 Aug 14 16:28 /etc/kolla/
NOTE: Ansible in 2.9.12 and 2.8.14 introduced a change to the default mode, making it 600 (see https:/
This means that any user with access to the directory containing the file will be able to read it, and hence the cloud's admin credentials. In many cases the directory permissions should prevent this, but we cannot rely on it.
Changed in kolla-ansible: | |
assignee: | nobody → Mark Goddard (mgoddard) |
status: | Triaged → In Progress |
Changed in kolla-ansible: | |
assignee: | Mark Goddard (mgoddard) → Pierre Riteau (priteau) |
Changed in kolla-ansible: | |
assignee: | Pierre Riteau (priteau) → Radosław Piliszek (yoctozepto) |
information type: | Private Security → Public Security |
Reviewed: https:/ /review. opendev. org/745071 /git.openstack. org/cgit/ openstack/ kolla-ansible/ commit/ ?id=16f97867a3f 7050ac42fbb9213 10ca884e974a11
Committed: https:/
Submitter: Zuul
Branch: master
commit 16f97867a3f7050 ac42fbb921310ca 884e974a11
Author: likui <email address hidden>
Date: Thu Aug 6 14:12:44 2020 +0800
Fix ownership and permissions of admin-openrc.sh
Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.
This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.
Co-Authored-By: Mark Goddard <email address hidden>
Closes-Bug: #1891704
Change-Id: Iadf43383a7f2bf 377d4666a55a38d 92bd70711aa