[Bug 1820992] Re: Package installs files with loose permissions
Corey Bryant
corey.bryant at canonical.com
Wed Mar 20 14:51:33 UTC 2019
I believe this needs fixing across all package versions. It exists for
stein:
root at d1:~# ls -al /etc/keystone
total 72
drwxr-xr-x 2 root root 7 Mar 20 14:49 .
drwxr-xr-x 86 root root 174 Mar 20 14:49 ..
-rw-r--r-- 1 root root 2303 Apr 28 2017 default_catalog.templates
-rw-r--r-- 1 root root 109578 Mar 19 11:26 keystone.conf
-rw-r--r-- 1 root root 81504 Mar 19 11:26 keystone.policy.yaml
-rw-r--r-- 1 root root 1046 Mar 19 11:26 logging.conf
-rw-r--r-- 1 root root 665 Apr 28 2017 sso_callback_template.html
As part of this bug we should also audit all of our core openstack
packages to make sure they have the right permissions. I made a pass on
several during this cycle but must have missed keystone somehow.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to keystone in Ubuntu.
https://bugs.launchpad.net/bugs/1820992
Title:
Package installs files with loose permissions
Status in OpenStack keystone charm:
New
Status in keystone package in Ubuntu:
New
Bug description:
The OpenStack Security Guide [1] suggests that the listed files should
have permissions of 640 (or tighter), below are files delivered via
the package that differ from that recommendation:
- /etc/keystone/keystone.conf
- /etc/keystone/keystone-paste.ini
- /etc/keystone/logging.conf
[1]: https://docs.openstack.org/security-guide/identity/checklist.html
#check-identity-02-are-strict-permissions-set-for-identity-
configuration-files
This is on a fresh Bionic (Queens) package
To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-keystone/+bug/1820992/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list