[Bug 1675088] Re: Restrict permissions on Openstack installation

Launchpad Bug Tracker 1675088 at bugs.launchpad.net
Mon Jul 17 14:43:36 UTC 2017 

This bug was fixed in the package heat - 1:8.0.1-0ubuntu1

---------------
heat (1:8.0.1-0ubuntu1) zesty; urgency=medium

  [ Chuck Short ]
  * d/heat-common.postinst: Make sure that /etc/heat has the appropriate
    permissions (LP: #1675088).

  [ James Page ]
  * New upstream stable release for OpenStack Ocata (LP: #1696139).

 -- James Page <james.page at ubuntu.com>  Wed, 07 Jun 2017 16:02:28 +0100

** Changed in: heat (Ubuntu Zesty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to heat in Ubuntu.
https://bugs.launchpad.net/bugs/1675088

Title:
  Restrict permissions on Openstack installation

Status in Ubuntu Cloud Archive:
  Triaged
Status in heat package in Ubuntu:
  Fix Released
Status in horizon package in Ubuntu:
  Fix Committed
Status in heat source package in Zesty:
  Fix Released
Status in horizon source package in Zesty:
  Triaged
Status in heat source package in Artful:
  Fix Released
Status in horizon source package in Artful:
  Fix Committed

Bug description:
  [Impact]
  Default configuration file permissions may allow read by unprivileged users other than the package system account.

  [Test Case]
  sudo apt install <pkg>-common
  ls -l /etc/<pkg>
  a) folder may be readable b) files may be readable

  [Regression Potential]
  Medium; if a openstack daemon can't read its config files, it won't startup; however most packages are covered by DEP-8 tests and we'll test
  a full OpenStack deployment using the normal SRU testing process:

  https://wiki.ubuntu.com/OpenStack/StableReleaseUpdates

  [Original Bug Report]
  Example given by CPE:

  Permssions for /etc/openstack-dashboard/ are too loose (755). Should be 700, horizon:horizon
  Permssions for /etc/cinder/ are too loose (750).  Should be 700, cinder:cinder
  Permssions for /etc/glance/ are too loose (755).  Should be 700, glance:glance
  Permssions for /etc/heat/ are too loose (750).  Should be 700, heat:heat
  Permssions for /etc/ceilometer/ are too loose (755).  Should be 700, ceilometer:ceilometer

  Will leave for you to evaluate best permissions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list