/etc/nova/nova-compute.conf not owned by nova

Bug #861459 reported by Scott Moser on 2011-09-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nova (Ubuntu)
Low
Unassigned

Bug Description

On a freshly installed system, I ran:
 apt-get install -y cloud-utils euca2ools glance nova-api nova-common nova-compute-lxc nova-doc nova-network nova-objectstore nova-scheduler python-greenlet python-mysqldb python-nova rabbitmq-server unzip qemu-kvm

$ ls -l /etc/nova/
total 12
-rw-r--r-- 1 root root 3080 2011-09-23 13:35 api-paste.ini
-rw-r--r-- 1 root root 19 2011-09-23 14:25 nova-compute.conf
-rw------- 1 nova root 276 2011-09-23 13:35 nova.conf

There are 2 possible issues I see here:
a.) nova-compute.conf is world readable and root owned. that may not be an issue.
   Note, though, in nova-common.postinst, nova.conf is expllictly set to nova:nova and 600. The other files in that dir are not touched. That may well be by design.

b.) in the apt output I see:

Setting up nova-common (2011.3-0ubuntu2) ...
Adding system user `nova' (UID 107) ...
Adding new user `nova' (UID 107) with group `nogroup' ...
Not creating home directory `/var/lib/nova'.
[Errno 2] No such file or directory: '/etc/nova/nova-compute.conf'
ERROR:: Unable to open flagfile: /etc/nova/nova-compute.conf
/usr/lib/python2.7/dist-packages/migrate/changeset/schema.py:124: MigrateDeprecationWarning: Passing a Column object to alter_column is deprecated. Just pass in keyword parameters instead.
  MigrateDeprecationWarning

nova-common's /etc/nova/nova.conf has '--flagfile=/etc/nova/nova-compute.conf' and nova-compute-lxc (or any nova-compute for that matter) has not been installed yet. So this is probably just ignorable.

ProblemType: Bug
DistroRelease: Ubuntu 11.10
Package: nova-compute-lxc 2011.3-0ubuntu2
ProcVersionSignature: Ubuntu 3.0.0-12.19-server 3.0.4
Uname: Linux 3.0.0-12-server x86_64
ApportVersion: 1.23-0ubuntu1
Architecture: amd64
Date: Wed Sep 28 10:26:52 2011
NovaConf: Error: [Errno 13] Permission denied: '/etc/nova/nova.conf'
PackageArchitecture: all
ProcEnviron:
 LANGUAGE=en_US:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: nova
UpgradeStatus: No upgrade log present (probably fresh install)

Related branches

CVE References

Scott Moser (smoser) wrote :
Changed in nova (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Adam Gandelman (gandelman-a) wrote :

a.) nova-compute.conf is world readable and root owned. that may not be an issue.

I'm not sure if this is by design, but currently the only flag contained in nova-compute.conf is '--libvirt_type='. nova.conf usually contains credentials for accessing things like the database and messaging queue. I imagine nova-compute.conf could contain credentials for use with certain hypervisors (Xenserver, ie) but currently none of the nova-compute-* packages install anything other than --libvirt-type={kvm,uml,lxc,xen}

b.) in the apt output I see:

Bug #839796

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1~rc2-0ubuntu1

---------------
nova (2012.1~rc2-0ubuntu1) precise; urgency=low

  [ Adam Gandelman ]
  * debian/control: Remove unncessary nova-cert dependency from nova-api.
    (LP: #965356)
  * debian/nova-common.postinst: Clean up spacing, remove redundant chown,
    set blanket 0700 nova.nova permissions on /etc/nova/
  * debian/nova-compute-{kvm, lxc, uml, xen}.postinst: Set proper permissions
    on /etc/nova/nova-compute.conf (LP: #861459)
  * debian/nova-common.postinst: Ensure default nova.sqlite database is not
    world-readable.
  * debian/{rules, nova-common.{install, postinst}}: Install api-paste.ini 0600
    with nova-common (in prepartion for proper nova-api-* package separation)
  * debian/{nova-common.nova-manage.logrotate,
    nova-network.nova-dhcpbridge.logrotate, rules}: Add lograte files,
    override_dh_installlogrotate. (LP: #942646)
  * Add manpage stubs for nova-api-ec2, nova-api-metadata,
    nova-api-os-{volume, compute}, nova-rootwrap. Use sphinx built manpage
    for nova-manage (nova-common.manpages)
  * debian/nova-compute-{kvm, xen, uml, qemu}.postinst: Remove calls to
    adduser since this is already handled from nova-compute.postsinst in a
    vendor neutral way. Silences lintian errors regarding adduser dependency

  [ Chuck Short ]
  * New upstream version.
  * debian/patches/libvirt-use-console-pipe.patch: Dropped.
  * debian/patches/nova-console-monitor.patch: Add console-monitor
    option.
  * debian/nova.conf: Enable use_console_monitor
  * debian/patches/fix-ubuntu-tests.patch: Fix nova testsuite.
  * debian/rules: fail package build if testsuite fails.
  * debian/patches/validate_server_name_length.patch: Dropped no longer
    needed.
  * debian/patches/fix-docs-build-without-network.patch: Some docs need
    a network connection in order to build. Disable fetching docs from
    the internet.
  * debian/patches/0001-fix-useexisting-deprecation-warnings.patch:
    Remove deprecated warnings with sqlalchemy.

  [ Tyler Hicks ]
  * SECURITY UPDATE: Denial of service via resource exhaustion in nova-api
    (LP: #968411)
    - debian/patches/validate_server_name_length.patch: Limit server names
      to a maximum of 255 characters to prevent nova-api log files from
      exhausting storage space. Based on upstream patch.
    - CVE-2012-1585
 -- Chuck Short <email address hidden> Mon, 02 Apr 2012 11:17:33 -0400

Changed in nova (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers