[Bug 1674465] [NEW] wsgi scripts shouldn't grant on /usr/bin

Corey Bryant corey.bryant at canonical.com
Mon Mar 20 20:04:01 UTC 2017 

Public bug reported:

cdent mentioned this:

<cdent> coreycb: as a somewhat related aside: I think the wsgi script
should not be in /usr/bin and the Directory statement should not grant
on /usr/bin, but whatever the wsgi script dir is. It is pbr that is in
the habit of installing the wsgi script in /usr/bin or /usr/local/bin
and that's probably bad.

It does seems sensible to limit the access granted to something more
minimal than /usr/bin.

For reference:
https://httpd.apache.org/docs/2.4/howto/access.html

This affects the nova-placement-api.  https://git.launchpad.net/~ubuntu-
server-dev/ubuntu/+source/nova/tree/debian/nova-placement-
api.conf?h=stable/ocata

This affects more than just nova.  We should revisit all of our packages
that have wsgi scripts.

** Affects: keystone (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: nova (Ubuntu)
     Importance: Undecided
         Status: New

** Also affects: keystone (Ubuntu)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to nova in Ubuntu.
https://bugs.launchpad.net/bugs/1674465

Title:
  wsgi scripts shouldn't grant on /usr/bin

Status in keystone package in Ubuntu:
  New
Status in nova package in Ubuntu:
  New

Bug description:
  cdent mentioned this:

  <cdent> coreycb: as a somewhat related aside: I think the wsgi script
  should not be in /usr/bin and the Directory statement should not grant
  on /usr/bin, but whatever the wsgi script dir is. It is pbr that is in
  the habit of installing the wsgi script in /usr/bin or /usr/local/bin
  and that's probably bad.

  It does seems sensible to limit the access granted to something more
  minimal than /usr/bin.

  For reference:
  https://httpd.apache.org/docs/2.4/howto/access.html

  This affects the nova-placement-api.  https://git.launchpad.net
  /~ubuntu-server-dev/ubuntu/+source/nova/tree/debian/nova-placement-
  api.conf?h=stable/ocata

  This affects more than just nova.  We should revisit all of our
  packages that have wsgi scripts.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/1674465/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list