[Bug 1859412] [NEW] security: set default umask for service to 0027
James Page
james.page at ubuntu.com
Mon Jan 13 09:18:32 UTC 2020
Public bug reported:
OpenStack services have no way to specify the permissions on log files
created; standards such as CIS set a default umask of 0027 however that
is not applied to units running under systemd.
This means that log files (and any other files or directories created by
a daemon) will have global read permissions by default.
As the systemd unit files are templated, we can update this fairly
easily for openstack services by adding the UMask=0027 directive to the
core template.
** Affects: openstack-pkg-tools (Ubuntu)
Importance: High
Status: Fix Committed
** Affects: openstack-pkg-tools (Ubuntu Focal)
Importance: High
Status: Fix Committed
** Also affects: openstack-pkg-tools (Ubuntu Focal)
Importance: Undecided
Status: New
** Changed in: openstack-pkg-tools (Ubuntu Focal)
Status: New => Fix Committed
** Changed in: openstack-pkg-tools (Ubuntu Focal)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-pkg-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1859412
Title:
security: set default umask for service to 0027
Status in openstack-pkg-tools package in Ubuntu:
Fix Committed
Status in openstack-pkg-tools source package in Focal:
Fix Committed
Bug description:
OpenStack services have no way to specify the permissions on log files
created; standards such as CIS set a default umask of 0027 however
that is not applied to units running under systemd.
This means that log files (and any other files or directories created
by a daemon) will have global read permissions by default.
As the systemd unit files are templated, we can update this fairly
easily for openstack services by adding the UMask=0027 directive to
the core template.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-pkg-tools/+bug/1859412/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list