OpenStack + Chef

some horizon config file should not be readable from other users

Bug #1370888 reported by LeileiZhou on 2014-09-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack + Chef	Fix Released	High	LeileiZhou

Bug Description

File /etc/openstack-dashboard/local_settings is set as 0644. However this file contains secrete as:
DATABASES = {
    'default': {
        'ENGINE': '',
        'NAME': 'horizon',
        'USER': 'dash',
        'PASSWORD': 'horizon',
        'HOST': '127.0.0.1',
        'default-character-set': 'utf8'
    },
}

To avoid unauthorized user to acquire the password, this file should be set as 0640 in cookbook.

Also currently, local_settings 's owner and group property is root/root. However service httpd which is running with user "apache" needs to read the file. So this file's ownship property should be changed to root/apache.

See original description

LeileiZhou (leileiz) on 2014-09-18

Changed in openstack-chef:
assignee:	nobody → LeileiZhou (leileiz)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-18: Fix proposed to cookbook-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.openstack.org/122337

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-18: Fix merged to cookbook-openstack-dashboard (master)

Reviewed: https://review.openstack.org/122337
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-dashboard/commit/?id=55a60d2ad05c2af64e0161444ce6e39afd289b02
Submitter: Jenkins
Branch: master

commit 55a60d2ad05c2af64e0161444ce6e39afd289b02
Author: leileiz <email address hidden>
Date: Thu Sep 18 02:38:04 2014 -0400

Update horizon conf file permission

    To avoid unauthorized users to acquire secrete in configuration
    file, set the files contain password from 0644 to 0640
    Fix bug 1370888
    Change-Id: I4557aac4c87b56ed0cbde6b623fc6dbd5b78cc33

LeileiZhou (leileiz) on 2014-09-29

description:

updated

LeileiZhou (leileiz) on 2014-09-29

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-09-29: Fix proposed to cookbook-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.openstack.org/124672

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-08: Fix merged to cookbook-openstack-dashboard (master)

Reviewed: https://review.openstack.org/124672
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-dashboard/commit/?id=f032bfdbd66293d06d086b3d7a2d1721387dffa4
Submitter: Jenkins
Branch: master

commit f032bfdbd66293d06d086b3d7a2d1721387dffa4
Author: leileiz <email address hidden>
Date: Mon Sep 29 02:59:15 2014 -0400

Update local_settings user group from root to apache

    local_settings is set as "root:root" and mode "0640". However
    horizon service is running with user "apache" and it needs to read
    this file. Hence set its group as "apache".

Fix bug 1370888
Change-Id: I003bef81b7d6b3229af7791dbd4e71936559c5e8

Mark Vanderwiel (vanderwl) on 2014-10-08

Changed in openstack-chef:
importance:	Undecided → High
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.