[Bug 1755027] Re: [SRU] local_settings.py is world readable and contains passwords

Corey Bryant corey.bryant at canonical.com
Fri Mar 16 13:09:50 UTC 2018


I also verified and promoted kilo yesterday, tagging appropriately.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1755027

Title:
  [SRU] local_settings.py is world readable and contains passwords

Status in OpenStack openstack-dashboard charm:
  Fix Released
Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive kilo series:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Triaged
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in designate-dashboard package in Ubuntu:
  Invalid
Status in horizon package in Ubuntu:
  Invalid
Status in murano-dashboard package in Ubuntu:
  Invalid
Status in neutron-lbaas-dashboard package in Ubuntu:
  Invalid
Status in sahara-dashboard package in Ubuntu:
  Invalid
Status in trove-dashboard package in Ubuntu:
  Invalid
Status in horizon source package in Trusty:
  Fix Committed
Status in horizon source package in Xenial:
  Fix Committed
Status in murano-dashboard source package in Xenial:
  Fix Committed
Status in sahara-dashboard source package in Xenial:
  Fix Committed
Status in trove-dashboard source package in Xenial:
  Fix Committed
Status in designate-dashboard source package in Artful:
  Fix Committed
Status in murano-dashboard source package in Artful:
  Fix Committed
Status in sahara-dashboard source package in Artful:
  Fix Committed
Status in trove-dashboard source package in Artful:
  Fix Committed

Bug description:
  [Impact]

  nobody at juju-a45617-0-lxd-4:/$ grep PASSWORD /etc/openstack-dashboard/local_settings.py
          'PASSWORD': 'yNXwml0TXuWjcW19jDzE49IiohSIMY',
  #EMAIL_HOST_PASSWORD = 'top-secret!'
  #OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
  OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True
  #ENFORCE_PASSWORD_CHECK = False
  nobody at juju-a45617-0-lxd-4:/$

  Needless to say, I should not be able to see passwords as 'nobody'.

  This is on a customer site, but I've reproduced at least the world
  readableness with a fresh deploy of cs:openstack-dashboard locally.

  This release sports mostly bug-fixes and we would like to make sure all of our
  supported customers have access to these improvements.
  The update contains the following package updates:

     * <TODO: Create list with package names and versions>

  [Test Case]
  apt install openstack-dashboard
  sudo ls -al /etc/openstack-dashboard/

  permissions should be:
  -rw-r----- 1 root horizon 30995 Mar 13 14:12 local_settings.py

  sudo ls -al /var/lib/openstack-dashboard/ # should be recursively
  owned by horizon:horizon before and after installing any dashboard
  plugins

  [Regression Potential]
  Very minimal regression potential. The fix is already in artful/pike and bionic/queens.

  [Discussion]
  The following comment is copied from comment #30 below but important to call out for SRU review:

  coreycb: I've uploaded designate-dashboard, murano-dashboard, trove-
  dashboard, and sahara-dashboard to the Artful Unapproved queue where
  they are awaiting review by the SRU team. Note that these changes are
  only updating these dashboard to use the proper user:group when
  performing chown on /var/lib/openstack-dashboard. This may look
  tengential when just looking at the Artful packages but it aligns with
  the changes being made for the Ocata cloud-archive (and already made
  in Bionic) that run openstack-dashboard under horizon:horizon instead
  of under www-data:www-data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1755027/+subscriptions



More information about the Ubuntu-openstack-bugs mailing list