Any user can manage the keystone database via keystone-manage

Bug #900553 reported by Adam Gandelman on 2011-12-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystone (Ubuntu)
Adam Gandelman

Bug Description

Using keystone against an external mysql database, users have access to manage the keystone database, ie:

ubuntu@ip-10-12-14-3:~$ keystone-manage user add tester p@ssword
ubuntu@ip-10-12-14-3:~$ keystone-manage role add Admin
ubuntu@ip-10-12-14-3:~$ keystone-manage role grant Admin tester

Permissions on either /usr/bin/keystone-manage or /etc/keystone/keystone.conf need to be tightened. I believe this is not an issue with the default package installation since keystone defaults to /var/lib/keystone/keystone.db as its backing store, which is owned 0755 by user keystone (perhaps this should also be restricted to 0600?)

Related branches

Adam Gandelman (gandelman-a) wrote :

On second look, /etc/keystone/keystone.conf ( like every other openstack component) stores its database credentials as plain text sqlalchemy string. This is should be installed non-world readable.

security vulnerability: no → yes
Evan Broder (broder) wrote :

I'm going to go ahead and unsubscribe ubuntu-sponsors from this bug - branch merge requests are automatically added to the sponsorship queue.

Adam, I'm assigning to you so you can track and close when done

Changed in keystone (Ubuntu):
assignee: nobody → Adam Gandelman (gandelman-a)
Adam Gandelman (gandelman-a) wrote :

I think the branch confusion caused this not to be closed out by Janitor? Either way, it was addressed in keystone 2012.1~e2~20111202.1379-0ubuntu2.

Changed in keystone (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers