Restrict permissions on Openstack installation
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Medium
|
Unassigned | |||
Ocata |
Fix Released
|
Undecided
|
Unassigned | |||
Pike |
Fix Released
|
Undecided
|
Unassigned | |||
aodh (Ubuntu) | ||||||
Zesty |
New
|
Undecided
|
Unassigned | |||
Artful |
Won't Fix
|
Undecided
|
Unassigned | |||
heat (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | |||
Zesty |
Fix Released
|
Medium
|
Unassigned | |||
Artful |
Fix Released
|
Medium
|
Unassigned | |||
horizon (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | |||
Zesty |
Won't Fix
|
Medium
|
Unassigned | |||
Artful |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
Default configuration file permissions may allow read by unprivileged users other than the package system account.
[Test Case]
sudo apt install <pkg>-common
ls -l /etc/<pkg>
a) folder may be readable b) files may be readable
[Regression Potential]
Medium; if a openstack daemon can't read its config files, it won't startup; however most packages are covered by DEP-8 tests and we'll test
a full OpenStack deployment using the normal SRU testing process:
https:/
[Original Bug Report]
Example given by CPE:
Permssions for /etc/openstack-
Permssions for /etc/cinder/ are too loose (750). Should be 700, cinder:cinder
Permssions for /etc/glance/ are too loose (755). Should be 700, glance:glance
Permssions for /etc/heat/ are too loose (750). Should be 700, heat:heat
Permssions for /etc/ceilometer/ are too loose (755). Should be 700, ceilometer:
Will leave for you to evaluate best permissions.
Changed in cloud-archive: | |
status: | New → Confirmed |
status: | Confirmed → Triaged |
importance: | Undecided → Medium |
Changed in cloud-archive: | |
status: | Fix Committed → Triaged |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
no longer affects: | aodh (Ubuntu) |
For >=Mitaka please.