Neutron configuration files permissions needs restricting

Bug #1869126 reported by Edin S on 2020-03-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack neutron-api charm
Medium
Unassigned
OpenStack neutron-gateway charm
Medium
Unassigned
OpenStack neutron-openvswitch charm
Medium
Unassigned

Bug Description

I've confirmed the issue exists in multiple environments (i.e. it's not an isolated case):
- OS: Xenial, Bionic
- OpenStack release: Queens
- Charm versions: neutron-gateway (254), neutron-api (263, 282), neutron-openvswitch (252, 269)

The OpenStack security checklist
(https://docs.openstack.org/security-guide/checklist.html) provides
recommendations for hardening a number of different OpenStack
services, including Keystone, Dashboard, Nova, Cinder, and Neutron.

Checklist item Check-Neutron-02 ("Are strict permissions set for
configuration files?") on the Neutron check list
(https://docs.openstack.org/security-guide/networking/checklist.html)
fails.

The check requires "permissions are set to 640 or stricter, or the containing directory is set to 750".
This is not the case:
$ juju run --application neutron-gateway,neutron-api,neutron-openvswitch -- 'stat -L -c "%a" /etc/neutron/neutron.conf; stat -L -c "%a" /etc/neutron/api-paste.ini; stat -L -c "%a" /etc/neutron/policy.json; stat -L -c "%a" /etc/neutron/rootwrap.conf; stat -L -c "%a" /etc/neutron'
- Stderr: ""
  Stdout: |
    640
    644
    644
    644
    755
  UnitId: neutron-api/0
- Stderr: ""
  Stdout: |
    640
    644
    644
    644
    755
  UnitId: neutron-gateway/0
- Stderr: ""
  Stdout: |
    640
    644
    644
    644
    755
  UnitId: neutron-openvswitch/0

Edin S (exsdev) on 2020-03-26
tags: added: field-critical
Changed in charm-neutron-api:
importance: Undecided → Medium
Changed in charm-neutron-gateway:
importance: Undecided → Medium
Changed in charm-neutron-openvswitch:
importance: Undecided → Medium
Changed in charm-neutron-api:
status: New → Triaged
Changed in charm-neutron-gateway:
status: New → Triaged
Changed in charm-neutron-openvswitch:
status: New → Triaged
tags: added: field-medium
removed: field-critical

Thanks for reporting! It feels more like a "medium" bug to me (as it's not blocking or breaking a deployment) but feel free to move it back up if I'm wrong.

Corey Bryant (corey.bryant) wrote :

I've marked this as a dup of 1859422. Please let us know if 1859422 does not completely solve this.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers