wsgi scripts shouldn't grant on /usr/bin

Bug #1674465 reported by Corey Bryant on 2017-03-20
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystone (Ubuntu)
Medium
Unassigned
nova (Ubuntu)
Medium
Unassigned

Bug Description

cdent mentioned this:

<cdent> coreycb: as a somewhat related aside: I think the wsgi script should not be in /usr/bin and the Directory statement should not grant on /usr/bin, but whatever the wsgi script dir is. It is pbr that is in the habit of installing the wsgi script in /usr/bin or /usr/local/bin and that's probably bad.

It does seems sensible to limit the access granted to something more minimal than /usr/bin.

For reference:
https://httpd.apache.org/docs/2.4/howto/access.html

This affects the nova-placement-api. https://git.launchpad.net/~ubuntu-server-dev/ubuntu/+source/nova/tree/debian/nova-placement-api.conf?h=stable/ocata

This affects more than just nova. We should revisit all of our packages that have wsgi scripts.

Chuck Short (zulcss) on 2017-04-10
Changed in keystone (Ubuntu):
status: New → Confirmed
Changed in nova (Ubuntu):
status: New → Confirmed
James Page (james-page) on 2017-10-20
Changed in nova (Ubuntu):
status: Confirmed → Triaged
Changed in keystone (Ubuntu):
status: Confirmed → Triaged
importance: Undecided → Medium
Changed in nova (Ubuntu):
importance: Undecided → Medium
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers