kolla-ansible

kolla-*pwd generates password file that is world-readable/writeable

Bug #2018338 reported by Douglas Mendizábal
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
High
Maksim Malchuk
Antelope
Fix Released
High
Maksim Malchuk
Xena
Fix Released
High
Maksim Malchuk
Yoga
Fix Released
High
Maksim Malchuk
Zed
Fix Released
High
Maksim Malchuk

Bug Description

The default permissions of the passwords.yml file generated by kolla-*pwd is word-readable/writeable i.e. the permissions can be like -rw-rw-r-- which could leak passwords if any system account is compromised. This file should be set to -rw-r----- permissions instead.

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/882100

Changed in kolla-ansible:
status: New → In Progress
Maksim Malchuk (mmalchuk)
Changed in kolla-ansible:
importance: Undecided → High
assignee: nobody → Maksim Malchuk (mmalchuk)
Revision history for this message
Mark Goddard (mgoddard) wrote : Re: kolla-genpwd generates password file that is world-readable

kolla-genpwd is used like this:

  kolla-genpwd -p /path/to/passwords.yml

The passwords file must already exist, otherwise the command fails. kolla-genpwd generates passwords for any keys in the YAML file that have an empty value. It then writes the result back to the same file.

I did some simple testing, and kolla-genpwd does not modify the permissions of the passwords file.

 chmod 600 etc/kolla/passwords.yml
 .tox/venv/bin/kolla-genpwd -p etc/kolla/passwords.yml
 ls -l etc/kolla/passwords.yml
 -rw------- 1 user user 34066 May 3 09:31 etc/kolla/passwords.yml

Revision history for this message
Mark Goddard (mgoddard) wrote :

Perhaps we need to improve the documentation around this?

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Indeed, kolla-genpwd by default read existing file and overwrite it, doing so file permissions didn't touched. I've changed the workflow to: read,remove and recreate file with correct permissions. Agree with updating the documentation, but I think we also should fix operator errors which can lead to unpredictable problems. Do we really need to set 640 or may be 600 ?

Mark Goddard (mgoddard)
information type: Private Security → Public Security
Revision history for this message
Mark Goddard (mgoddard) wrote :

Another option would be to fail if the file is world-readable.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/882177

Revision history for this message
Maksim Malchuk (mmalchuk) wrote (last edit ): Re: kolla-genpwd generates password file that is world-readable

Maybe this is good option but it brings more problems than solution: https://zuul.opendev.org/t/openstack/build/698adf4017a44bb39f18589cf2d3561d
Fixed in next patchset.

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

Should we merge both options? BTW, we also have mergepwd which can create the new passwords.yml based on default system umask.

Revision history for this message
Mark Goddard (mgoddard) wrote :

You're right, kolla-mergepwd could be a problem here. There is also kolla-readpwd and kolla-writepwd which interact with hashicorp vault.

We probably don't need both solutions for kolla-genpwd - we don't need to abort if we are going to change the permissions.

If we need to support setting permissions in other commands, that does make an argument for doing the same in kolla-genwpd.

Revision history for this message
Maksim Malchuk (mmalchuk) wrote :

So, maybe we should check and display warning that permissions incorrect and notify they changed instead of abort.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on kolla-ansible (master)

Change abandoned by "Maksim Malchuk <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/882177
Reason: merged with https://review.opendev.org/c/openstack/kolla-ansible/+/882100

Maksim Malchuk (mmalchuk)
summary: - kolla-genpwd generates password file that is world-readable
+ kolla-*pwd generates password file that is world-readable/writeable
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/882100
Committed: https://opendev.org/openstack/kolla-ansible/commit/5fd8117098d3fec6d96f6a918cc2d2bfa2f14c86
Submitter: "Zuul (22348)"
Branch: master

commit 5fd8117098d3fec6d96f6a918cc2d2bfa2f14c86
Author: Maksim Malchuk <email address hidden>
Date: Wed May 3 00:37:59 2023 +0300

    Fix passwords.yml permissions

    The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd
    commands now creates or updates passwords.yml with correct
    permissions. Also they display warning message about incorrect
    permissions.

    Closes-Bug: #2018338
    Change-Id: I4b50053ced9150499d1d09fd4a0ec2e243cf938b
    Signed-off-by: Maksim Malchuk <email address hidden>

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/885867

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/zed)

Fix proposed to branch: stable/zed
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/885868

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/885869

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/885870

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/zed)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/885868
Committed: https://opendev.org/openstack/kolla-ansible/commit/635330912d6ae2ff0a355feda2768fba3fa8ea9a
Submitter: "Zuul (22348)"
Branch: stable/zed

commit 635330912d6ae2ff0a355feda2768fba3fa8ea9a
Author: Maksim Malchuk <email address hidden>
Date: Wed May 3 00:37:59 2023 +0300

    Fix passwords.yml permissions

    The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd
    commands now creates or updates passwords.yml with correct
    permissions. Also they display warning message about incorrect
    permissions.

    Closes-Bug: #2018338
    Change-Id: I4b50053ced9150499d1d09fd4a0ec2e243cf938b
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit 5fd8117098d3fec6d96f6a918cc2d2bfa2f14c86)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/885869
Committed: https://opendev.org/openstack/kolla-ansible/commit/64c77ef013540e8995ce421b10a979503c5252ed
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 64c77ef013540e8995ce421b10a979503c5252ed
Author: Maksim Malchuk <email address hidden>
Date: Wed May 3 00:37:59 2023 +0300

    Fix passwords.yml permissions

    The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd
    commands now creates or updates passwords.yml with correct
    permissions. Also they display warning message about incorrect
    permissions.

    Closes-Bug: #2018338
    Change-Id: I4b50053ced9150499d1d09fd4a0ec2e243cf938b
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit 5fd8117098d3fec6d96f6a918cc2d2bfa2f14c86)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/2023.1)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/885867
Committed: https://opendev.org/openstack/kolla-ansible/commit/1740c7f271690ceb238a8b27c0d6b8ec9f94b96b
Submitter: "Zuul (22348)"
Branch: stable/2023.1

commit 1740c7f271690ceb238a8b27c0d6b8ec9f94b96b
Author: Maksim Malchuk <email address hidden>
Date: Wed May 3 00:37:59 2023 +0300

    Fix passwords.yml permissions

    The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd
    commands now creates or updates passwords.yml with correct
    permissions. Also they display warning message about incorrect
    permissions.

    Closes-Bug: #2018338
    Change-Id: I4b50053ced9150499d1d09fd4a0ec2e243cf938b
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit 5fd8117098d3fec6d96f6a918cc2d2bfa2f14c86)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/885870
Committed: https://opendev.org/openstack/kolla-ansible/commit/46c05054361d24f6702afc6bc62beac0cd2bf693
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 46c05054361d24f6702afc6bc62beac0cd2bf693
Author: Maksim Malchuk <email address hidden>
Date: Wed May 3 00:37:59 2023 +0300

    Fix passwords.yml permissions

    The kolla-genpwd, kolla-mergepwd, kolla-readpwd and kolla-writepwd
    commands now creates or updates passwords.yml with correct
    permissions. Also they display warning message about incorrect
    permissions.

    Closes-Bug: #2018338
    Change-Id: I4b50053ced9150499d1d09fd4a0ec2e243cf938b
    Signed-off-by: Maksim Malchuk <email address hidden>
    (cherry picked from commit 5fd8117098d3fec6d96f6a918cc2d2bfa2f14c86)

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 16.1.0

This issue was fixed in the openstack/kolla-ansible 16.1.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 14.9.0

This issue was fixed in the openstack/kolla-ansible 14.9.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 15.2.0

This issue was fixed in the openstack/kolla-ansible 15.2.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible xena-eol

This issue was fixed in the openstack/kolla-ansible xena-eol release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 17.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 17.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.