Ubuntu
nova package

/var/log/nova/* is world-readable

Bug #862816 reported by Adam Gandelman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nova (Ubuntu)
Fix Released
High
Adam Gandelman
Ubuntu ubuntu-11.10
Oneiric
Fix Released
High
Adam Gandelman
Ubuntu ubuntu-11.10

Bug Description

The default nova.conf ships with '--verbose' enabled by default. When set, each nova-* component logs all configuration flags to their respective logfile in /var/log/nova/, including any credentials stored in nova.conf (see attachment). If '--verbose' logging is to be enabled by default, permissions of logfiles in /var/log/nova should be restricted to match those of nova.conf (0600, nova:nova)

Revision history for this message
Adam Gandelman (gandelman-a) wrote :
Dave Walker (davewalker)
Changed in nova (Ubuntu):
status: New → Triaged
importance: Undecided → High
Changed in nova (Ubuntu Oneiric):
milestone: none → ubuntu-11.10
tags: added: server-o-rs
Adam Gandelman (gandelman-a)
Changed in nova (Ubuntu Oneiric):
assignee: nobody → Adam Gandelman (gandelman-a)
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

This is both a packaging problem and a Nova bug. Packaging should override the default logfile mode (0644) in nova.conf via the --logfile_mode flag, however, this option does not seem to function as it should (Bug #862969).

Changed in nova (Ubuntu Oneiric):
status: Triaged → In Progress
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

Attached is a patch to be applied to lp:~ubuntu-server-dev/nova/diablo while we wait for LP merges to function again.

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "nova.patch" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2011.3-0ubuntu4

---------------
nova (2011.3-0ubuntu4) oneiric; urgency=low

  [James Page]
  * debian/nova-common.postinst:
    - Exclude mounted LXC rootfs filesystems within /var/lib/nova from
      user/group ownership changes (LP: #861260).
    - Ensure that primary group for 'nova' user is 'nova' so that files
      created by this user have the correct group ownership.

  [Adam Gandelman]
  * debian/nova-common.postinst: Restrict permissions of /var/log/nova
    (LP: #862816)

  [Ante Karamatic]
  * Add /usr/sbin/ietadm to sudoers (LP: #861547)
  * debian/control: Fix typo in Vcs-Bzr

  [Chuck Short]
  * debian/patches/backport-libvirt-console-pipe.patch:
    Move console.log to a ringbuffer so that the console.log
    keeps filling up. (LP: #832507)
  * debian/patches/backport-lxc-container-console-fix.patch:
    Make euca-get-console-output usable for LXC containers.
    (LP: #832159)
  * debian/patches/backport-snapshot-cleanup.patch:
    Enforce snapshot cleanup. (LP: #861582).
  * debian/patches/fix-lp863305-images-permission.patch:
    Fix image access control. (LP: #863305)
 -- Chuck Short <email address hidden> Fri, 30 Sep 2011 15:21:56 -0400

Changed in nova (Ubuntu Oneiric):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.