[Bug 1675088] Re: Restrict permissions on Openstack installation

Andy Whitcroft apw at canonical.com
Fri Jun 16 09:45:36 UTC 2017 

Hello Joseph, or anyone else affected,

Accepted heat into zesty-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/heat/1:8.0.1-0ubuntu1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-needed to verification-done. If it does not fix the
bug for you, please add a comment stating that, and change the tag to
verification-failed.  In either case, details of your testing will help
us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: heat (Ubuntu Zesty)
       Status: In Progress => Fix Committed

** Tags added: verification-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1675088

Title:
  Restrict permissions on Openstack installation

Status in Ubuntu Cloud Archive:
  Triaged
Status in heat package in Ubuntu:
  Fix Released
Status in horizon package in Ubuntu:
  Fix Committed
Status in heat source package in Zesty:
  Fix Committed
Status in horizon source package in Zesty:
  Triaged
Status in heat source package in Artful:
  Fix Released
Status in horizon source package in Artful:
  Fix Committed

Bug description:
  [Impact]
  Default configuration file permissions may allow read by unprivileged users other than the package system account.

  [Test Case]
  sudo apt install <pkg>-common
  ls -l /etc/<pkg>
  a) folder may be readable b) files may be readable

  [Regression Potential]
  Medium; if a openstack daemon can't read its config files, it won't startup; however most packages are covered by DEP-8 tests and we'll test
  a full OpenStack deployment using the normal SRU testing process:

  https://wiki.ubuntu.com/OpenStack/StableReleaseUpdates

  [Original Bug Report]
  Example given by CPE:

  Permssions for /etc/openstack-dashboard/ are too loose (755). Should be 700, horizon:horizon
  Permssions for /etc/cinder/ are too loose (750).  Should be 700, cinder:cinder
  Permssions for /etc/glance/ are too loose (755).  Should be 700, glance:glance
  Permssions for /etc/heat/ are too loose (750).  Should be 700, heat:heat
  Permssions for /etc/ceilometer/ are too loose (755).  Should be 700, ceilometer:ceilometer

  Will leave for you to evaluate best permissions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list