StarlingX

Restrict access privilege of mtce config files and daemons

Bug #1887403 reported by Eric MacDonald
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Eric MacDonald

Bug Description

Maintenance start scripts, daemons and config file permissions need to be restricted.

mtce config files 644 -> 600
mtce daemon start/stop scripts 755 -> 700
mtce daemons 755 -> 700

Severity: Minor
Reproducibility: 100% reproducible

Steps to Reproduce
------------------
N/A

Expected Behavior
------------------
mtce init scripts, daemons and config files readable and for scripts and daemons executable as root only.

Actual Behavior
----------------
Mtce config files can be read by group and world and although the daemon startup will fail unless root, the start scripts and daemons themselves can be run with group and world permission.

System Configuration
--------------------
Any

Branch/Pull Time/Commit
-----------------------
master

Last Pass
---------
Not tested.

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Integration Testing

Workaround
----------
N/A

Eric MacDonald (rocksolidmtce)
Changed in starlingx:
assignee: nobody → Eric MacDonald (rocksolidmtce)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

security concern / medium priority - should be fixed in stx.5.0

tags: added: stx.5.0 stx.metal stx.security
Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to metal (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741067

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741069

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to metal (master)

Reviewed: https://review.opendev.org/741067
Committed: https://git.openstack.org/cgit/starlingx/metal/commit/?id=a40175ec842df7741188870b4e00216a19ea0bf6
Submitter: Zuul
Branch: master

commit a40175ec842df7741188870b4e00216a19ea0bf6
Author: Eric MacDonald <email address hidden>
Date: Tue Jul 14 19:49:57 2020 -0400

    Restrict access privilege of mtce config files and daemons

    This update modifies the maintenance daemons and config
    files to restrict access privilege to root privilege

    Storage system was installed successfully and permission
    of affected files verified.

    Change-Id: I9c8e2e36f897c31d54ea5ade884a004c12251493
    Closes-Bug: 1887403
    Signed-off-by: Eric MacDonald <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/741069
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=12112790478027bfef772fcf20da9ce06f0c5cf9
Submitter: Zuul
Branch: master

commit 12112790478027bfef772fcf20da9ce06f0c5cf9
Author: Eric MacDonald <email address hidden>
Date: Tue Jul 14 19:53:25 2020 -0400

    Restrict access privilege of mtc.ini file

    This update modifies the maintenance ini file
    to restrict access privilege to root privilege

    Storage system was installed successfully.
    Permission of affected file was verified.

    Change-Id: Ia516cf1eebf0dd911c5b9cd485c527bd497b50fd
    Closes-Bug: 1887403
    Signed-off-by: Eric MacDonald <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nfv (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741273

Ghada Khalil (gkhalil)
Changed in starlingx:
status: Fix Released → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nfv (master)

Reviewed: https://review.opendev.org/741273
Committed: https://git.openstack.org/cgit/starlingx/nfv/commit/?id=684b977d8e86366fc4f06c4bd204c97ed46f0b39
Submitter: Zuul
Branch: master

commit 684b977d8e86366fc4f06c4bd204c97ed46f0b39
Author: Eric MacDonald <email address hidden>
Date: Wed Jul 15 12:50:10 2020 -0400

    Restrict access privilege of nfv mtce-guest config files and daemons

    This update modifies the nfv mtce-guest daemons and config
    files to restrict access privilege to root privilege

    Storage system was installed successfully and permission
    of affected files verified.

    Change-Id: I7c15c2c2613b40d88e0b4024ade250e5058aab77
    Closes-Bug: 1887403
    Signed-off-by: Eric MacDonald <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/762919

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.