Any user can manage the keystone database via keystone-manage
Bug #900553 reported by
Adam Gandelman
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
keystone (Ubuntu) |
Fix Released
|
Undecided
|
Adam Gandelman |
Bug Description
Using keystone against an external mysql database, users have access to manage the keystone database, ie:
ubuntu@
ubuntu@
ubuntu@
Permissions on either /usr/bin/
Related branches
lp:~gandelman-a/ubuntu/precise/keystone/lp900553
- Chuck Short (community): Approve
-
Diff: 29 lines (+9/-3)2 files modifieddebian/changelog (+7/-0)
debian/keystone.postinst (+2/-3)
security vulnerability: | no → yes |
To post a comment you must log in.
On second look, /etc/keystone/ keystone. conf ( like every other openstack component) stores its database credentials as plain text sqlalchemy string. This is should be installed non-world readable.