/var/log/nova/* is world-readable

Bug #862816 reported by Adam Gandelman on 2011-09-29
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nova (Ubuntu)
High
Adam Gandelman
Oneiric
High
Adam Gandelman

Bug Description

The default nova.conf ships with '--verbose' enabled by default. When set, each nova-* component logs all configuration flags to their respective logfile in /var/log/nova/, including any credentials stored in nova.conf (see attachment). If '--verbose' logging is to be enabled by default, permissions of logfiles in /var/log/nova should be restricted to match those of nova.conf (0600, nova:nova)

Adam Gandelman (gandelman-a) wrote :
Dave Walker (davewalker) on 2011-09-29
Changed in nova (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Oneiric):
milestone: none → ubuntu-11.10
tags: added: server-o-rs
Changed in nova (Ubuntu Oneiric):
assignee: nobody → Adam Gandelman (gandelman-a)
Adam Gandelman (gandelman-a) wrote :

This is both a packaging problem and a Nova bug. Packaging should override the default logfile mode (0644) in nova.conf via the --logfile_mode flag, however, this option does not seem to function as it should (Bug #862969).

Changed in nova (Ubuntu Oneiric):
status: Triaged → In Progress
Adam Gandelman (gandelman-a) wrote :

Attached is a patch to be applied to lp:~ubuntu-server-dev/nova/diablo while we wait for LP merges to function again.

The attachment "nova.patch" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2011.3-0ubuntu4

---------------
nova (2011.3-0ubuntu4) oneiric; urgency=low

  [James Page]
  * debian/nova-common.postinst:
    - Exclude mounted LXC rootfs filesystems within /var/lib/nova from
      user/group ownership changes (LP: #861260).
    - Ensure that primary group for 'nova' user is 'nova' so that files
      created by this user have the correct group ownership.

  [Adam Gandelman]
  * debian/nova-common.postinst: Restrict permissions of /var/log/nova
    (LP: #862816)

  [Ante Karamatic]
  * Add /usr/sbin/ietadm to sudoers (LP: #861547)
  * debian/control: Fix typo in Vcs-Bzr

  [Chuck Short]
  * debian/patches/backport-libvirt-console-pipe.patch:
    Move console.log to a ringbuffer so that the console.log
    keeps filling up. (LP: #832507)
  * debian/patches/backport-lxc-container-console-fix.patch:
    Make euca-get-console-output usable for LXC containers.
    (LP: #832159)
  * debian/patches/backport-snapshot-cleanup.patch:
    Enforce snapshot cleanup. (LP: #861582).
  * debian/patches/fix-lp863305-images-permission.patch:
    Fix image access control. (LP: #863305)
 -- Chuck Short <email address hidden> Fri, 30 Sep 2011 15:21:56 -0400

Changed in nova (Ubuntu Oneiric):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers