Ubuntu
keystone package

wsgi scripts shouldn't grant on /usr/bin

Bug #1674465 reported by Corey Bryant
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystone (Ubuntu)
Triaged
Medium
Unassigned
nova (Ubuntu)
Triaged
Medium
Unassigned

Bug Description

cdent mentioned this:

<cdent> coreycb: as a somewhat related aside: I think the wsgi script should not be in /usr/bin and the Directory statement should not grant on /usr/bin, but whatever the wsgi script dir is. It is pbr that is in the habit of installing the wsgi script in /usr/bin or /usr/local/bin and that's probably bad.

It does seems sensible to limit the access granted to something more minimal than /usr/bin.

For reference:
https://httpd.apache.org/docs/2.4/howto/access.html

This affects the nova-placement-api. https://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/nova/tree/debian/nova-placement-api.conf?h=stable/ocata

This affects more than just nova. We should revisit all of our packages that have wsgi scripts.

Chuck Short (zulcss)
Changed in keystone (Ubuntu):
status: New → Confirmed
Changed in nova (Ubuntu):
status: New → Confirmed
James Page (james-page)
Changed in nova (Ubuntu):
status: Confirmed → Triaged
Changed in keystone (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in nova (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.