[Bug 1674465] Re: wsgi scripts shouldn't grant on /usr/bin
Chuck Short
chuck.short at canonical.com
Mon Apr 10 14:13:51 UTC 2017
** Changed in: keystone (Ubuntu)
Status: New => Confirmed
** Changed in: nova (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1674465
Title:
wsgi scripts shouldn't grant on /usr/bin
Status in keystone package in Ubuntu:
Confirmed
Status in nova package in Ubuntu:
Confirmed
Bug description:
cdent mentioned this:
<cdent> coreycb: as a somewhat related aside: I think the wsgi script
should not be in /usr/bin and the Directory statement should not grant
on /usr/bin, but whatever the wsgi script dir is. It is pbr that is in
the habit of installing the wsgi script in /usr/bin or /usr/local/bin
and that's probably bad.
It does seems sensible to limit the access granted to something more
minimal than /usr/bin.
For reference:
https://httpd.apache.org/docs/2.4/howto/access.html
This affects the nova-placement-api. https://git.launchpad.net
/~ubuntu-server-dev/ubuntu/+source/nova/tree/debian/nova-placement-
api.conf?h=stable/ocata
This affects more than just nova. We should revisit all of our
packages that have wsgi scripts.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/1674465/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list