devstack

  1. Bug #1168252
  2. Comment #6

Comment 6 for bug 1168252

Revision history for this message
Kurt Seifried (kseifried) wrote : Re: LDAP password and admin_token should be secret

Ok the CVE I assigned (CVE-2013-1977 as per http://seclists.org/oss-sec/2013/q2/126) covers the default devstack (git clone https://github.com/openstack-dev/devstack.git ; cd devstack && ./stack.sh ) which creates:

drwxr-xr-x. 3 stack root 4096 Apr 19 18:39 /etc/keystone
-rw-rw-r--. 1 stack stack 10251 Apr 19 18:33 /etc/keystone/keystone.conf

which exposes the above secrets. If things are ALSO exposed in the log files that a second security issue as well and I'll assign a CVE for it.