user_secrets.yml file permissions too open

Bug #1461997 reported by Christopher H. Laco on 2015-06-04
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openstack-ansible
Medium
Andy McCrae
Kilo
Medium
Andy McCrae
Trunk
Medium
Andy McCrae

Bug Description

By default, the file permissions on user_secrets.yml is 0644, which is readable by normal users.

It might be beneficial to have any script that updates that file (scripts/pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml) warn loudly at invalid file permissions, or change them automatically as part of the installation.

Minimally, we should update https://github.com/stackforge/os-ansible-deployment/blob/master/README.rst to include a step telling folks to ensure they have secure permissions and optionally, to use ansible-vault.

Changed in openstack-ansible:
status: Confirmed → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/190570

Reviewed: https://review.openstack.org/190570
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=3f8905caee8a0ec1afe90ba6df9b91aca14c67ec
Submitter: Jenkins
Branch: master

commit 3f8905caee8a0ec1afe90ba6df9b91aca14c67ec
Author: Andy McCrae <email address hidden>
Date: Thu Jun 11 11:21:52 2015 +0100

    Set permissions on user_secrets.yml to 0600

    The permissions on the user_secrets file are too open, adjust this so that
    after using pw-token-gen.py it sets the file to be 0600 for
    user_secrets.yml and the backup tar file that is created. Additionally,
    add a note in the README to recommend adjusting the permissions when not
    utilising the pw-token-gen.py

    Change-Id: I90ffacd83a89a92f48cf160e5b351e1254e9c73a
    Closes-Bug: #1461997

Changed in openstack-ansible:
status: In Progress → Fix Committed

Reviewed: https://review.openstack.org/191851
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=e012443e486a859e39ab8d4a3ecbf3396e5cf62a
Submitter: Jenkins
Branch: kilo

commit e012443e486a859e39ab8d4a3ecbf3396e5cf62a
Author: Andy McCrae <email address hidden>
Date: Thu Jun 11 11:21:52 2015 +0100

    Set permissions on user_secrets.yml to 0600

    The permissions on the user_secrets file are too open, adjust this so that
    after using pw-token-gen.py it sets the file to be 0600 for
    user_secrets.yml and the backup tar file that is created. Additionally,
    add a note in the README to recommend adjusting the permissions when not
    utilising the pw-token-gen.py

    Change-Id: I90ffacd83a89a92f48cf160e5b351e1254e9c73a
    Closes-Bug: #1461997
    (cherry picked from commit 3f8905caee8a0ec1afe90ba6df9b91aca14c67ec)

This issue was fixed in the openstack/openstack-ansible 11.2.11 release.

This issue was fixed in the openstack/openstack-ansible 11.2.12 release.

This issue was fixed in the openstack/openstack-ansible 11.2.14 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers