[Bug 1674465] [NEW] wsgi scripts shouldn't grant on /usr/bin
Corey Bryant
corey.bryant at canonical.com
Mon Mar 20 20:04:01 UTC 2017
Public bug reported:
cdent mentioned this:
<cdent> coreycb: as a somewhat related aside: I think the wsgi script
should not be in /usr/bin and the Directory statement should not grant
on /usr/bin, but whatever the wsgi script dir is. It is pbr that is in
the habit of installing the wsgi script in /usr/bin or /usr/local/bin
and that's probably bad.
It does seems sensible to limit the access granted to something more
minimal than /usr/bin.
For reference:
https://httpd.apache.org/docs/2.4/howto/access.html
This affects the nova-placement-api. https://git.launchpad.net/~ubuntu-
server-dev/ubuntu/+source/nova/tree/debian/nova-placement-
api.conf?h=stable/ocata
This affects more than just nova. We should revisit all of our packages
that have wsgi scripts.
** Affects: keystone (Ubuntu)
Importance: Undecided
Status: New
** Affects: nova (Ubuntu)
Importance: Undecided
Status: New
** Also affects: keystone (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1674465
Title:
wsgi scripts shouldn't grant on /usr/bin
Status in keystone package in Ubuntu:
New
Status in nova package in Ubuntu:
New
Bug description:
cdent mentioned this:
<cdent> coreycb: as a somewhat related aside: I think the wsgi script
should not be in /usr/bin and the Directory statement should not grant
on /usr/bin, but whatever the wsgi script dir is. It is pbr that is in
the habit of installing the wsgi script in /usr/bin or /usr/local/bin
and that's probably bad.
It does seems sensible to limit the access granted to something more
minimal than /usr/bin.
For reference:
https://httpd.apache.org/docs/2.4/howto/access.html
This affects the nova-placement-api. https://git.launchpad.net
/~ubuntu-server-dev/ubuntu/+source/nova/tree/debian/nova-placement-
api.conf?h=stable/ocata
This affects more than just nova. We should revisit all of our
packages that have wsgi scripts.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/1674465/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list