admin-openrc.sh is world readable
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| kolla-ansible |
Fix Released
|
High
|
Radosław Piliszek | ||
| Stein |
Fix Released
|
High
|
Mark Goddard | ||
| Train |
Fix Released
|
High
|
Mark Goddard | ||
| Ussuri |
Fix Released
|
High
|
Radosław Piliszek | ||
| Victoria |
Fix Released
|
High
|
Radosław Piliszek | ||
Bug Description
The kolla-ansible post-deploy command creates a file called admin-openrc.sh in same directory as globals.yml (/etc/kolla by default) on localhost. This script exports environment variables which may be used to access the cloud as the admin user in the admin project, and as such is very sensitive.
Currently, the task that creates the file does so with become=true, and without specifying a mode:
- name: Creating admin openrc file on the deploy node
hosts: localhost
become: true
tasks:
- name: Template out admin-openrc.sh
template:
src: "roles/
dest: "{{ node_config }}/admin-openrc.sh"
With ansible!
-rw-r--r--. 1 root root 549 Aug 14 16:28 /etc/kolla/
NOTE: Ansible in 2.9.12 and 2.8.14 introduced a change to the default mode, making it 600 (see https:/
This means that any user with access to the directory containing the file will be able to read it, and hence the cloud's admin credentials. In many cases the directory permissions should prevent this, but we cannot rely on it.
| Changed in kolla-ansible: | |
| assignee: | nobody → Mark Goddard (mgoddard) |
| status: | Triaged → In Progress |
| Changed in kolla-ansible: | |
| assignee: | Mark Goddard (mgoddard) → Pierre Riteau (priteau) |
| Changed in kolla-ansible: | |
| assignee: | Pierre Riteau (priteau) → Radosław Piliszek (yoctozepto) |
| OpenStack Infra (hudson-openstack) wrote Fix merged to kolla-ansible (master) | #1 |
| Changed in kolla-ansible: | |
| status: | In Progress → Fix Released |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to kolla-ansible (stable/ussuri) | #2 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to kolla-ansible (stable/train) | #3 |
| OpenStack Infra (hudson-openstack) wrote Fix proposed to kolla-ansible (stable/stein) | #4 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to kolla-ansible (stable/stein) | #5 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to kolla-ansible (stable/train) | #6 |
| OpenStack Infra (hudson-openstack) wrote Fix merged to kolla-ansible (stable/ussuri) | #7 |
| information type: | Private Security → Public Security |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/kolla-ansible 8.3.0 | #8 |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/kolla-ansible 10.2.0 | #9 |
| OpenStack Infra (hudson-openstack) wrote Fix included in openstack/kolla-ansible 9.3.0 | #10 |
Reviewed: https:/
Committed: https:/
Submitter: Zuul
Branch: master
commit 16f97867a3f7050
Author: likui <email address hidden>
Date: Thu Aug 6 14:12:44 2020 +0800
Fix ownership and permissions of admin-openrc.sh
Previously the post-deploy.yml playbook was executed with become: true,
and the admin-openrc.sh file templated without an owner or mode
specified. This resulted in admin-openrc.sh being owned by root with 644
permissions.
This change creates the file without become: true, and explicitly sets
the owner to the user executing Ansible, and the mode to 600.
Co-Authored-By: Mark Goddard <email address hidden>
Closes-Bug: #1891704
Change-Id: Iadf43383a7f2bf