Ansible playbooks/vars generated by config-download can be read by non-root users
Bug #1990226 reported by
Takashi Kajinami
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tripleo |
Fix Released
|
Critical
|
Takashi Kajinami |
Bug Description
Description
===========
In stable/train, ansible playbooks and var files are generated under the /var/lib/
However directory/file permission is too liberal and non-root users can read the files which contain sensitive information such as passwords.
So far we understood the issue affects only stable/train and does not affect recent branches such as stable/wallaby or master.
information type: | Private Security → Public Security |
Changed in tripleo: | |
status: | In Progress → Fix Released |
To post a comment you must log in.
I've attached the fix we need in tripleo-ansible and tripleo-common. These were already reviewed in downstream so I'll push public patches once I get ack from the team from tripleo-coresec.