mysql root password in nova logs 644
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Compute (nova) |
Fix Released
|
Medium
|
Josh Kearney |
Bug Description
nova logs have file permission 644 by default and contain mysql root passwd
2011-06-30 08:32:15,607 DEBUG nova [-] sql_connection : mysql:/
cloud@cloud:~$ ls -al /var/log/nova/
total 89040
drwxr-xr-x 2 nova root 4096 2011-07-04 06:30 .
drwxr-xr-x 16 root root 4096 2011-07-04 06:30 ..
-rw-r--r-- 1 nova root 59854 2011-06-29 15:48 install.log
-rw-r--r-- 1 nova nogroup 31824 2011-07-04 13:52 nova-api.log
-rw-r--r-- 1 nova nogroup 0 2011-07-04 06:30 nova-compute.log
-rw-r--r-- 1 nova nogroup 59826 2011-06-29 15:48 nova-manage.log
-rw-r--r-- 1 nova nogroup 0 2011-07-04 06:30 nova-network.log
-rw-r--r-- 1 root root 300 2011-07-04 06:30 nova-objectstor
-rw-r--r-- 1 nova nogroup 105028 2011-07-04 17:51 nova-scheduler.log
Related branches
- Sandy Walsh (community): Approve
- Jason Kölker (community): Approve
- Ed Leafe (community): Approve
- Kevin L. Mitchell (community): Approve
- John Tran (community): Approve
-
Diff: 24 lines (+2/-1)2 files modifiednova/flags.py (+1/-1)
nova/log.py (+1/-0)
Changed in nova: | |
status: | Confirmed → In Progress |
assignee: | nobody → Josh Kearney (jk0) |
Changed in nova: | |
status: | In Progress → Fix Committed |
Changed in nova: | |
milestone: | none → diablo-4 |
Changed in nova: | |
milestone: | diablo-4 → 2011.3 |
status: | Fix Committed → Fix Released |
We should probably have a list of sensitive flags that should not be dumped... or turn the logs 640.
Workaround is to run without --debug (--debug is not suitable in production anyway ?)