StarlingX

Restrict permissions on FM files

Bug #1887444 reported by Yuxing
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Medium
Yuxing

Bug Description

Brief Description
-----------------
FM config and log files may contain secure information should have restricted permissions.

Severity
--------
Major

Steps to Reproduce
------------------
Check to permission of /etc/fm/fm.conf and /var/log/fm-manager.log

Expected Behavior
------------------
Both files permission should be set to 600

Actual Behavior
----------------
Both files permission are 644

Reproducibility
---------------
100%

System Configuration
--------------------
All systems

Branch/Pull Time/Commit
-----------------------
As of July 13th, 2020

Last Pass
---------
NA

Timestamp/Logs
--------------
NA

Test Activity
-------------
Developer test

Yuxing (yuxing)
Changed in starlingx:
assignee: nobody → Yuxing (yuxing)
Revision history for this message
Ghada Khalil (gkhalil) wrote :

security concern / medium priority - should be fixed in stx.5.0

Changed in starlingx:
importance: Undecided → Medium
status: New → Triaged
tags: added: stx.5.0 stx.fault stx.security
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741341

Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config-files (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741343

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config-files (master)

Reviewed: https://review.opendev.org/741343
Committed: https://git.openstack.org/cgit/starlingx/config-files/commit/?id=b9f0d1214f0809414b84eda189cbc5c3a94c1add
Submitter: Zuul
Branch: master

commit b9f0d1214f0809414b84eda189cbc5c3a94c1add
Author: Yuxing Jiang <email address hidden>
Date: Wed Jul 15 19:39:00 2020 -0400

    Restrict access priviledge of fm-manager.log

    This commit restricts the access priviledge of the fm-manager.log file
    to root priviledge.

    Verified the ownership and permission of /var/log/fm-manager.log after
    successfully installed and unlocked a controller.

    Change-Id: I0fe9ef5e46df29820661fdbddd6380de0dee5a28
    Closes-Bug: 1887444
    Signed-off-by: Yuxing Jiang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Yuxing (yuxing) wrote :

As the ownership and permission of fm.conf is recommended to fix in stx/fault, re-open this bug for another fix

Changed in starlingx:
status: Fix Released → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on stx-puppet (master)

Change abandoned by Yuxing Jiang (<email address hidden>) on branch: master
Review: https://review.opendev.org/741341
Reason: The fix will go to fault

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config-files (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741664

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to fault (master)

Fix proposed to branch: master
Review: https://review.opendev.org/741690

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to fault (master)

Reviewed: https://review.opendev.org/741690
Committed: https://git.openstack.org/cgit/starlingx/fault/commit/?id=454aa613265e6e31138112a424d4f0fa130f315f
Submitter: Zuul
Branch: master

commit 454aa613265e6e31138112a424d4f0fa130f315f
Author: Yuxing Jiang <email address hidden>
Date: Fri Jul 17 13:43:06 2020 -0400

    Modify access privilege and ownership of fm config

    This commit modifies the ownership and access privilege of the
    fault manager config file to the fm user only.

    Verified the ownership and permission of /etc/fm/fm.conf after
    successfully installed and unlocked a controller. No extra error
    message is produced in fm-manager.log and fm-event.log. And fm
    commands are functional.

    Change-Id: Ief675bbe08c00bb106b7fdd6b5db46364192c69c
    Closes-Bug: 1887444
    Signed-off-by: Yuxing Jiang <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config-files (master)

Reviewed: https://review.opendev.org/741664
Committed: https://git.openstack.org/cgit/starlingx/config-files/commit/?id=0a921beabf00ca35f1db556f54abca433fff6f2c
Submitter: Zuul
Branch: master

commit 0a921beabf00ca35f1db556f54abca433fff6f2c
Author: Yuxing Jiang <email address hidden>
Date: Fri Jul 17 11:43:22 2020 -0400

    Restrict access privilege of fm-manager.log

    This commit restricts the access privilege of the fm-manager.log file
    to root privilege.

    Test:
    After installing a fresh iso in an AIO-SX controller, this controller
    can be unlocked successfully.
    The syslog-ng service can start successfully. And the fm-manager.log
    file has the root privilege.

    Change-Id: I8520c420c5a899174bbfb7c7307eb799807fb3fe
    Partial-Bug: 1887444
    Signed-off-by: Yuxing Jiang <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to meta-starlingx (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/meta-starlingx/+/801950

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to meta-starlingx (master)

Reviewed: https://review.opendev.org/c/starlingx/meta-starlingx/+/801950
Committed: https://opendev.org/starlingx/meta-starlingx/commit/84415fdcd76f326b311718d99704e126829a06d5
Submitter: "Zuul (22348)"
Branch: master

commit 84415fdcd76f326b311718d99704e126829a06d5
Author: Jackie Huang <email address hidden>
Date: Tue May 18 15:26:44 2021 +0800

    fm-rest-api: Modify access privilege and ownership of fm config

    Modify access privilege and ownership of fm config
    according to upstream change:

    ```````````````````````````````````````````````
    commit 454aa613265e6e31138112a424d4f0fa130f315f
    Author: Yuxing Jiang <email address hidden>
    Date: Fri Jul 17 13:43:06 2020 -0400

        Modify access privilege and ownership of fm config

        This commit modifies the ownership and access privilege of the
        fault manager config file to the fm user only.

        Verified the ownership and permission of /etc/fm/fm.conf after
        successfully installed and unlocked a controller. No extra error
        message is produced in fm-manager.log and fm-event.log. And fm
        commands are functional.

        Closes-Bug: 1887444
        Signed-off-by: Yuxing Jiang <email address hidden>
    ```````````````````````````````````````````````

    Story: 2008952
    Task: 42576

    Signed-off-by: Jackie Huang <email address hidden>
    Change-Id: If59ddf7be37374903f6d58da95bce49c997bfb52

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.