[Bug 1859412] [NEW] security: set default umask for service to 0027

James Page james.page at ubuntu.com
Mon Jan 13 09:18:32 UTC 2020 

Public bug reported:

OpenStack services have no way to specify the permissions on log files
created; standards such as CIS set a default umask of 0027 however that
is not applied to units running under systemd.

This means that log files (and any other files or directories created by
a daemon) will have global read permissions by default.

As the systemd unit files are templated, we can update this fairly
easily for openstack services by adding the UMask=0027 directive to the
core template.

** Affects: openstack-pkg-tools (Ubuntu)
     Importance: High
         Status: Fix Committed

** Affects: openstack-pkg-tools (Ubuntu Focal)
     Importance: High
         Status: Fix Committed

** Also affects: openstack-pkg-tools (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: openstack-pkg-tools (Ubuntu Focal)
       Status: New => Fix Committed

** Changed in: openstack-pkg-tools (Ubuntu Focal)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to openstack-pkg-tools in Ubuntu.
https://bugs.launchpad.net/bugs/1859412

Title:
  security: set default umask for service to 0027

Status in openstack-pkg-tools package in Ubuntu:
  Fix Committed
Status in openstack-pkg-tools source package in Focal:
  Fix Committed

Bug description:
  OpenStack services have no way to specify the permissions on log files
  created; standards such as CIS set a default umask of 0027 however
  that is not applied to units running under systemd.

  This means that log files (and any other files or directories created
  by a daemon) will have global read permissions by default.

  As the systemd unit files are templated, we can update this fairly
  easily for openstack services by adding the UMask=0027 directive to
  the core template.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-pkg-tools/+bug/1859412/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list