OpenStack-Ansible

user_secrets.yml file permissions too open

Bug #1461997 reported by Christopher H. Laco on 2015-06-04

This bug affects 1 person

	Status	Importance	Assigned to	Milestone
OpenStack-Ansible	Fix Released	Medium	Andy McCrae	OpenStack-Ansible 11.0.3
Kilo	Fix Released	Medium	Andy McCrae	OpenStack-Ansible 11.0.3
Trunk	Fix Released	Medium	Andy McCrae

Bug Description

By default, the file permissions on user_secrets.yml is 0644, which is readable by normal users.

It might be beneficial to have any script that updates that file (scripts/pw-token-gen.py --file /etc/openstack_deploy/user_secrets.yml) warn loudly at invalid file permissions, or change them automatically as part of the installation.

Minimally, we should update https://github.com/stackforge/os-ansible-deployment/blob/master/README.rst to include a step telling folks to ensure they have secure permissions and optionally, to use ansible-vault.

OpenStack Infra (hudson-openstack) on 2015-06-10

Changed in openstack-ansible:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-11:

Fix proposed to branch: master
Review: https://review.openstack.org/190570

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-12: Fix merged to os-ansible-deployment (master)

Reviewed: https://review.openstack.org/190570
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=3f8905caee8a0ec1afe90ba6df9b91aca14c67ec
Submitter: Jenkins
Branch: master

commit 3f8905caee8a0ec1afe90ba6df9b91aca14c67ec
Author: Andy McCrae <email address hidden>
Date: Thu Jun 11 11:21:52 2015 +0100

Set permissions on user_secrets.yml to 0600

    The permissions on the user_secrets file are too open, adjust this so that
    after using pw-token-gen.py it sets the file to be 0600 for
    user_secrets.yml and the backup tar file that is created. Additionally,
    add a note in the README to recommend adjusting the permissions when not
    utilising the pw-token-gen.py

Change-Id: I90ffacd83a89a92f48cf160e5b351e1254e9c73a
Closes-Bug: #1461997

Changed in openstack-ansible:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-15: Fix proposed to os-ansible-deployment (kilo)

Fix proposed to branch: kilo
Review: https://review.openstack.org/191851

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-06-16: Fix merged to os-ansible-deployment (kilo)

Reviewed: https://review.openstack.org/191851
Committed: https://git.openstack.org/cgit/stackforge/os-ansible-deployment/commit/?id=e012443e486a859e39ab8d4a3ecbf3396e5cf62a
Submitter: Jenkins
Branch: kilo

commit e012443e486a859e39ab8d4a3ecbf3396e5cf62a
Author: Andy McCrae <email address hidden>
Date: Thu Jun 11 11:21:52 2015 +0100

Set permissions on user_secrets.yml to 0600

    Change-Id: I90ffacd83a89a92f48cf160e5b351e1254e9c73a
    Closes-Bug: #1461997
    (cherry picked from commit 3f8905caee8a0ec1afe90ba6df9b91aca14c67ec)