Nova configuration files ownership need restricting

Bug #1869125 reported by Edin S on 2020-03-26
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack nova-cloud-controller charm
Medium
Unassigned
OpenStack nova-compute charm
Medium
Unassigned

Bug Description

I've confirmed the issue exists in multiple environments (i.e. it's not an isolated case):
- OS: Xenial, Bionic
- OpenStack release: Queens
- Charm versions: nova-cloud-controller (312, 339), nova-compute (288, 309)

The OpenStack security checklist
(https://docs.openstack.org/security-guide/checklist.html) provides
recommendations for hardening a number of different OpenStack
services, including Keystone, Dashboard, Nova, Cinder, and Neutron.

Checklist item Check-Compute-01 ("Is user/group ownership of config files set to
root/nova?") on the Nova checklist
(https://docs.openstack.org/security-guide/compute/checklist.html)
fails.

The check requires "user and group ownership of all ... config files is set to root and nova respectively."

This is not the case:
$ juju run --application nova-cloud-controller,nova-compute-kvm -- 'stat -L -c "%U %G" /etc/nova/nova.conf ; stat -L -c "%U %G" /etc/nova/api-paste.ini ; stat -L -c "%U %G" /etc/nova/policy.json ; stat -L -c "%U %G" /etc/nova/rootwrap.conf ; stat -L -c "%U %G" /etc/nova '
- Stderr: |
    stat: cannot stat '/etc/nova/policy.json': No such file or directory
  Stdout: |
    nova nova
    nova nova
    root root
    nova nova
  UnitId: nova-cloud-controller/0
<SNIP>
- Stderr: |
    stat: cannot stat '/etc/nova/policy.json': No such file or directory
  Stdout: |
    nova nova
    nova nova
    root root
    nova nova
  UnitId: nova-compute-kvm/0
<SNIP>

Edin S (exsdev) on 2020-03-26
summary: - Nova configuration files permissions need restricting
+ Nova configuration files ownership need restricting
Edin S (exsdev) on 2020-03-26
tags: added: field-critical
Changed in charm-nova-cloud-controller:
importance: Undecided → Medium
Changed in charm-nova-compute:
importance: Undecided → Medium
Changed in charm-nova-cloud-controller:
status: New → Triaged
Changed in charm-nova-compute:
status: New → Triaged
tags: added: field-medium
removed: field-critical

Thanks for reporting! It feels more like a "medium" bug to me (as it's not blocking or breaking a deployment) but feel free to move it back up if I'm wrong.

Corey Bryant (corey.bryant) wrote :

I've marked this as a dup of 1859422. Please let us know if 1859422 does not completely solve this.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers