Neutron configuration files permissions needs restricting
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| OpenStack Neutron API Charm |
Triaged
|
Medium
|
Unassigned | ||
| OpenStack Neutron Gateway Charm |
Triaged
|
Medium
|
Unassigned | ||
| OpenStack Neutron Open vSwitch Charm |
Triaged
|
Medium
|
Unassigned | ||
Bug Description
I've confirmed the issue exists in multiple environments (i.e. it's not an isolated case):
- OS: Xenial, Bionic
- OpenStack release: Queens
- Charm versions: neutron-gateway (254), neutron-api (263, 282), neutron-openvswitch (252, 269)
The OpenStack security checklist
(https:/
recommendations for hardening a number of different OpenStack
services, including Keystone, Dashboard, Nova, Cinder, and Neutron.
Checklist item Check-Neutron-02 ("Are strict permissions set for
configuration files?") on the Neutron check list
(https:/
fails.
The check requires "permissions are set to 640 or stricter, or the containing directory is set to 750".
This is not the case:
$ juju run --application neutron-
- Stderr: ""
Stdout: |
640
644
644
644
755
UnitId: neutron-api/0
- Stderr: ""
Stdout: |
640
644
644
644
755
UnitId: neutron-gateway/0
- Stderr: ""
Stdout: |
640
644
644
644
755
UnitId: neutron-
| tags: | added: field-critical |
| Changed in charm-neutron-api: | |
| importance: | Undecided → Medium |
| Changed in charm-neutron-gateway: | |
| importance: | Undecided → Medium |
| Changed in charm-neutron-openvswitch: | |
| importance: | Undecided → Medium |
| Changed in charm-neutron-api: | |
| status: | New → Triaged |
| Changed in charm-neutron-gateway: | |
| status: | New → Triaged |
| Changed in charm-neutron-openvswitch: | |
| status: | New → Triaged |
| tags: |
added: field-medium removed: field-critical |
| Aurelien Lourot (aurelien-lourot) wrote | #1 |
| Corey Bryant (corey.bryant) wrote | #2 |
Thanks for reporting! It feels more like a "medium" bug to me (as it's not blocking or breaking a deployment) but feel free to move it back up if I'm wrong.