keystone-common recursively changes permissions for $HOME
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
New
|
Undecided
|
Unassigned |
Bug Description
As part of postinst step in keystone-common package, following code executes:
find /var/lib/keystone -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
This eventually turns out in incorrect behavior once keystone user has .ssh/ folder under it's home, since private keys would be chmod-ed to 0640 which would raise further authentication failure.
SSH could be used for keystone to distribute fernet keys in case of HA deployment for keystone. It is quite common practice to achieve fernet distribution through SSH.
So it would be pretty much appreciated if keystone-common would avoid recursively changing permissions to /var/lib/keystone or at least avoid doing so for .ssh folder there.