StarlingX

sysinv.conf.default is readable to all users

Bug #1849837 reported by Bin Qian
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Bin Qian

Bug Description

Brief Description
-----------------
/opt/platform/sysinv/19.09/sysinv.conf.default is currently created as readable to all users. The file contains rabbit password and sysinv keystone auth password.

controller-0:~$ ls /opt/platform/sysinv/19.09/sysinv.conf.default -la
-rw-r--r-- 1 root root 1830 Oct 23 21:52 /opt/platform/sysinv/19.09/sysinv.conf.default

This file should be created as owned by sysinv and only read/write to sysinv (i.e, 0600).
Severity
--------
Critical

Steps to Reproduce
------------------
In any load,
ls /opt/platform/sysinv/19.09/sysinv.conf.default -la

Expected Behavior
------------------
the file should not be readable to user other than sysinv or with root privilege
Reproducibility
---------------
all system
System Configuration
--------------------
any

Branch/Pull Time/Commit
-----------------------
master

Last Pass
---------
none

Timestamp/Logs
--------------
N/A

Test Activity
-------------

Ghada Khalil (gkhalil)
information type: Private Security → Public Security
Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.3.0 / medium priority - would be nice to fix to close the security concern.

tags: added: stx.security
tags: added: stx.3.0
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
assignee: nobody → Andy (andy.wrs)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/691940

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on stx-puppet (master)

Change abandoned by Andy Ning (<email address hidden>) on branch: master
Review: https://review.opendev.org/691940
Reason: The changes will be incorporated into https://review.opendev.org/#/c/691714/

Revision history for this message
Ghada Khalil (gkhalil) wrote :

Assigning to Bin since he has code changes in progress that should deal with this bug

Changed in starlingx:
assignee: Andy (andy.wrs) → Bin Qian (bqian20)
Revision history for this message
Bin Qian (bqian20) wrote :

The fix is in 2 change lists:
https://review.opendev.org/#/c/691714
https://review.opendev.org/#/c/692439

The fix has changed the file owner to root and file attribute to 0x400, so that it is readonly to root user and no access to other users, which is more appropriate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/691714
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=666008a5836124665258d1b06b4017ba3ae560c7
Submitter: Zuul
Branch: master

commit 666008a5836124665258d1b06b4017ba3ae560c7
Author: Bin Qian <email address hidden>
Date: Fri Oct 18 18:44:38 2019 -0400

    Copy sysinv.config to drbd drive only once

    This change is to ensure copying sysinv.config to drbd drive only once
    when the controller-0 is unlocked successfully the 1st time.

    The file was previously copied periodically from the active controller
    which causes occasionally fail to apply the runtime config if a swact
    happens to start. The result is that the controller is config-out-date.

    This fix also ensure all nodes going through the same invprovision
    cycle: none (installing)
           -> provisioning (installed)
           -> provisioned (unlocked successfully 1st time)
    Previously the controller-0 of a standard load starts with provisioned,
    even before it is unlocked the 1st time.

    Depends-on: https://review.opendev.org/691713
    Closes-Bug: 1848355
    Closes-Bug: 1849837

    Change-Id: Ifdfb985c8cde86f9c9074dc0774cb0dd805aacd1
    Signed-off-by: Bin Qian <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.