some horizon config file should not be readable from other users

Bug #1370888 reported by LeileiZhou
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack + Chef
Fix Released
High
LeileiZhou

Bug Description

File /etc/openstack-dashboard/local_settings is set as 0644. However this file contains secrete as:
DATABASES = {
    'default': {
        'ENGINE': '',
        'NAME': 'horizon',
        'USER': 'dash',
        'PASSWORD': 'horizon',
        'HOST': '127.0.0.1',
        'default-character-set': 'utf8'
    },
}

To avoid unauthorized user to acquire the password, this file should be set as 0640 in cookbook.

Also currently, local_settings 's owner and group property is root/root. However service httpd which is running with user "apache" needs to read the file. So this file's ownship property should be changed to root/apache.

LeileiZhou (leileiz)
Changed in openstack-chef:
assignee: nobody → LeileiZhou (leileiz)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cookbook-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.openstack.org/122337

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cookbook-openstack-dashboard (master)

Reviewed: https://review.openstack.org/122337
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-dashboard/commit/?id=55a60d2ad05c2af64e0161444ce6e39afd289b02
Submitter: Jenkins
Branch: master

commit 55a60d2ad05c2af64e0161444ce6e39afd289b02
Author: leileiz <email address hidden>
Date: Thu Sep 18 02:38:04 2014 -0400

    Update horizon conf file permission

    To avoid unauthorized users to acquire secrete in configuration
    file, set the files contain password from 0644 to 0640
    Fix bug 1370888
    Change-Id: I4557aac4c87b56ed0cbde6b623fc6dbd5b78cc33

LeileiZhou (leileiz)
description: updated
LeileiZhou (leileiz)
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to cookbook-openstack-dashboard (master)

Fix proposed to branch: master
Review: https://review.openstack.org/124672

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to cookbook-openstack-dashboard (master)

Reviewed: https://review.openstack.org/124672
Committed: https://git.openstack.org/cgit/stackforge/cookbook-openstack-dashboard/commit/?id=f032bfdbd66293d06d086b3d7a2d1721387dffa4
Submitter: Jenkins
Branch: master

commit f032bfdbd66293d06d086b3d7a2d1721387dffa4
Author: leileiz <email address hidden>
Date: Mon Sep 29 02:59:15 2014 -0400

    Update local_settings user group from root to apache

    local_settings is set as "root:root" and mode "0640". However
    horizon service is running with user "apache" and it needs to read
    this file. Hence set its group as "apache".

    Fix bug 1370888
    Change-Id: I003bef81b7d6b3229af7791dbd4e71936559c5e8

Changed in openstack-chef:
importance: Undecided → High
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.