Neutron configuration files permissions needs restricting
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Neutron API Charm |
Triaged
|
Medium
|
Unassigned | ||
OpenStack Neutron Gateway Charm |
Triaged
|
Medium
|
Unassigned | ||
OpenStack Neutron Open vSwitch Charm |
Triaged
|
Medium
|
Unassigned |
Bug Description
I've confirmed the issue exists in multiple environments (i.e. it's not an isolated case):
- OS: Xenial, Bionic
- OpenStack release: Queens
- Charm versions: neutron-gateway (254), neutron-api (263, 282), neutron-openvswitch (252, 269)
The OpenStack security checklist
(https:/
recommendations for hardening a number of different OpenStack
services, including Keystone, Dashboard, Nova, Cinder, and Neutron.
Checklist item Check-Neutron-02 ("Are strict permissions set for
configuration files?") on the Neutron check list
(https:/
fails.
The check requires "permissions are set to 640 or stricter, or the containing directory is set to 750".
This is not the case:
$ juju run --application neutron-
- Stderr: ""
Stdout: |
640
644
644
644
755
UnitId: neutron-api/0
- Stderr: ""
Stdout: |
640
644
644
644
755
UnitId: neutron-gateway/0
- Stderr: ""
Stdout: |
640
644
644
644
755
UnitId: neutron-
tags: | added: field-critical |
Changed in charm-neutron-api: | |
importance: | Undecided → Medium |
Changed in charm-neutron-gateway: | |
importance: | Undecided → Medium |
Changed in charm-neutron-openvswitch: | |
importance: | Undecided → Medium |
Changed in charm-neutron-api: | |
status: | New → Triaged |
Changed in charm-neutron-gateway: | |
status: | New → Triaged |
Changed in charm-neutron-openvswitch: | |
status: | New → Triaged |
tags: |
added: field-medium removed: field-critical |
Thanks for reporting! It feels more like a "medium" bug to me (as it's not blocking or breaking a deployment) but feel free to move it back up if I'm wrong.