tripleo

Ansible playbooks/vars generated by config-download can be read by non-root users

Bug #1990226 reported by Takashi Kajinami on 2022-09-20

256

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	tripleo	Fix Released	Critical	Takashi Kajinami

Bug Description

Description
===========
In stable/train, ansible playbooks and var files are generated under the /var/lib/mistral/<stack name> directory during overcloud deployment.
However directory/file permission is too liberal and non-root users can read the files which contain sensitive information such as passwords.

So far we understood the issue affects only stable/train and does not affect recent branches such as stable/wallaby or master.

Tags:

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2022-09-20:

tripleo-ansible-fix.diff Edit (1.7 KiB, text/plain)

Changed in tripleo:
importance:	Undecided → Critical
status:	New → In Progress

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2022-09-20:

tripleo-common-fix.diff Edit (4.9 KiB, text/plain)

Revision history for this message

Takashi Kajinami (kajinamit) wrote on 2022-09-20:

I've attached the fix we need in tripleo-ansible and tripleo-common. These were already reviewed in downstream so I'll push public patches once I get ack from the team from tripleo-coresec.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2022-09-20:

Also please remember to switch this bug to public at the earliest safe opportunity, preferably just before pushing the fixes into code review (so that integration there can add details to the referenced bug report from the commit message automatically). Worst case, switch to public no later than when releases have been tagged with the fix, so that we don't have OpenStack bugs hanging around indefinitely private.

Takashi Kajinami (kajinamit) on 2022-09-21

information type:

Private Security → Public Security

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-21: Fix proposed to tripleo-ansible (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-ansible/+/858591

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-21: Fix proposed to tripleo-common (stable/train)

Fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-common/+/858593

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-22: Fix merged to tripleo-ansible (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-ansible/+/858591
Committed: https://opendev.org/openstack/tripleo-ansible/commit/72dbd1e102375398cec0605d011f82e087134e84
Submitter: "Zuul (22348)"
Branch: stable/train

commit 72dbd1e102375398cec0605d011f82e087134e84
Author: Takashi Kajinami <email address hidden>
Date: Tue Sep 20 17:33:02 2022 +0900

Train-only: Reduce permission of config-download files

    In stable/train, the config-download process is executed by mistral and
    some files are stored under /var/lib/mistral.
    If a file in the directory has o+r permission, then other users can
    read the file content. The generated files such as group var file
    includes some sensitive items like passwords and should not be visible
    to anonymous users.

This ensures we remove permission for other users so that we prevent
other users from sneaking files.

    Closes-Bug: #1990226
    Resolves: rhbz#2120660
    Change-Id: Idc78964f560fc7a5766cf164c65d48adcbed4532

tags:

added: in-stable-train

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-09-22: Fix merged to tripleo-common (stable/train)

Reviewed: https://review.opendev.org/c/openstack/tripleo-common/+/858593
Committed: https://opendev.org/openstack/tripleo-common/commit/c488b59b95cb726d5b412a7fc6524395f162ff9f
Submitter: "Zuul (22348)"
Branch: stable/train

commit c488b59b95cb726d5b412a7fc6524395f162ff9f
Author: Takashi Kajinami <email address hidden>
Date: Tue Sep 20 17:31:50 2022 +0900

Train-only: Reduce permission of config-download files

This ensures we remove permission for other users so that we prevent
other users from sneaking files.

    Closes-Bug: #1990226
    Resolves: rhbz#2120660
    Change-Id: Idc78964f560fc7a5766cf164c65d48adcbed4532

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-25: Related fix proposed to tripleo-common (stable/train)

Related fix proposed to branch: stable/train
Review: https://review.opendev.org/c/openstack/tripleo-common/+/862556

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2022-10-27: Related fix merged to tripleo-common (stable/train)

#10

Reviewed: https://review.opendev.org/c/openstack/tripleo-common/+/862556
Committed: https://opendev.org/openstack/tripleo-common/commit/ef8fb6935f9b24b780958c2a5dd8e2c552b16331
Submitter: "Zuul (22348)"
Branch: stable/train

commit ef8fb6935f9b24b780958c2a5dd8e2c552b16331
Author: Takashi Kajinami <email address hidden>
Date: Tue Oct 25 16:42:28 2022 +0900

Train-only: Do not attempt to remove config-download files

    The change c488b59b95cb726d5b412a7fc6524395f162ff9f made sure
    the config-download files are always recreated with the proper
    permissions but that causes permission errors if ceph or octavia is
    deployed because these services generate files owned by tripleo-admin
    in the config-download data directory.

    This change removes the clean up steps to avoid that permission errors.
    This means users need to manually remove these files in case they want
    to correct permissions of the config-download files.

    Related-Bug: #1990226
    Resolves: rhbz#2137484
    Change-Id: Ib819c40862302065b6b52f68f0460f3d533d2194

Takashi Kajinami (kajinamit) on 2022-11-17