[Bug 1755027] Re: [SRU] local_settings.py is world readable and contains passwords

Corey Bryant corey.bryant at canonical.com
Fri Mar 16 13:46:33 UTC 2018 

Xenial verification has completed successfully using xenial-proposed
with the following packages:

openstack-dashboard: 2:9.1.2-0ubuntu5
python-sahara-dashboard: 4.0.0-1ubuntu1.1
python-murano-dashboard: 1:2.0.0-1ubuntu1
python-trove-dashboard: 6.0.0-1ubuntu1

After installing each package, permissions for /etc/openstack-dashboard
and /var/lib/openstack-dashboard remains as follows and the dashboard
continues to function as expected:

/etc/openstack-dashboard:
total 36
drwxr-xr-x   2 horizon horizon  4096 Mar 16 13:26 .
drwxr-xr-x 101 root    root     4096 Mar 16 13:27 ..
-rw-r-----   1 root    horizon 26775 Mar 16 13:29 local_settings.py

/var/lib/openstack-dashboard:
total 12
drwx------  2 horizon horizon 4096 Mar 16 13:26 .
drwxr-xr-x 48 root    root    4096 Mar 16 13:26 ..
-rw-------  1 horizon horizon   64 Mar 16 13:26 secret_key
-rw-r--r--  1 horizon horizon    0 Mar 16 13:26 _var_lib_openstack-dashboard_secret_key.lock

** Tags removed: verification-mitaka-needed verification-needed
** Tags added: verification-done

** Also affects: cloud-archive/pike
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1755027

Title:
  [SRU] local_settings.py is world readable and contains passwords

Status in OpenStack openstack-dashboard charm:
  Fix Released
Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive kilo series:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Fix Committed
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in Ubuntu Cloud Archive pike series:
  Fix Committed
Status in designate-dashboard package in Ubuntu:
  Invalid
Status in horizon package in Ubuntu:
  Invalid
Status in murano-dashboard package in Ubuntu:
  Invalid
Status in neutron-lbaas-dashboard package in Ubuntu:
  Invalid
Status in sahara-dashboard package in Ubuntu:
  Invalid
Status in trove-dashboard package in Ubuntu:
  Invalid
Status in horizon source package in Trusty:
  Fix Committed
Status in horizon source package in Xenial:
  Fix Committed
Status in murano-dashboard source package in Xenial:
  Fix Committed
Status in sahara-dashboard source package in Xenial:
  Fix Committed
Status in trove-dashboard source package in Xenial:
  Fix Committed
Status in designate-dashboard source package in Artful:
  Fix Committed
Status in murano-dashboard source package in Artful:
  Fix Committed
Status in sahara-dashboard source package in Artful:
  Fix Committed
Status in trove-dashboard source package in Artful:
  Fix Committed

Bug description:
  [Impact]

  nobody at juju-a45617-0-lxd-4:/$ grep PASSWORD /etc/openstack-dashboard/local_settings.py
          'PASSWORD': 'yNXwml0TXuWjcW19jDzE49IiohSIMY',
  #EMAIL_HOST_PASSWORD = 'top-secret!'
  #OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
  OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True
  #ENFORCE_PASSWORD_CHECK = False
  nobody at juju-a45617-0-lxd-4:/$

  Needless to say, I should not be able to see passwords as 'nobody'.

  This is on a customer site, but I've reproduced at least the world
  readableness with a fresh deploy of cs:openstack-dashboard locally.

  This release sports mostly bug-fixes and we would like to make sure all of our
  supported customers have access to these improvements.
  The update contains the following package updates:

     * <TODO: Create list with package names and versions>

  [Test Case]
  apt install openstack-dashboard
  sudo ls -al /etc/openstack-dashboard/

  permissions should be:
  -rw-r----- 1 root horizon 30995 Mar 13 14:12 local_settings.py

  sudo ls -al /var/lib/openstack-dashboard/ # should be recursively
  owned by horizon:horizon before and after installing any dashboard
  plugins

  [Regression Potential]
  Very minimal regression potential. The fix is already in artful/pike and bionic/queens.

  [Discussion]
  The following comment is copied from comment #30 below but important to call out for SRU review:

  coreycb: I've uploaded designate-dashboard, murano-dashboard, trove-
  dashboard, and sahara-dashboard to the Artful Unapproved queue where
  they are awaiting review by the SRU team. Note that these changes are
  only updating these dashboard to use the proper user:group when
  performing chown on /var/lib/openstack-dashboard. This may look
  tengential when just looking at the Artful packages but it aligns with
  the changes being made for the Ocata cloud-archive (and already made
  in Bionic) that run openstack-dashboard under horizon:horizon instead
  of under www-data:www-data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1755027/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list