[Bug 900553] Re: Any user can manage the keystone database via keystone-manage

[Evan Broder]

I'm going to go ahead and unsubscribe ubuntu-sponsors from this bug -
branch merge requests are automatically added to the sponsorship queue.

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/900553

Title:
  Any user can manage the keystone database via keystone-manage

Status in “keystone” package in Ubuntu:
  New

Bug description:
  Using keystone against an external mysql database, users have access
  to manage the keystone database, ie:

  ubuntu at ip-10-12-14-3:~$ keystone-manage user add tester p at ssword
  ubuntu at ip-10-12-14-3:~$ keystone-manage role add Admin
  ubuntu at ip-10-12-14-3:~$ keystone-manage role grant Admin tester 

  Permissions on either /usr/bin/keystone-manage or
  /etc/keystone/keystone.conf need to be tightened.  I believe this is
  not an issue with the default package installation since keystone
  defaults to /var/lib/keystone/keystone.db as its backing store, which
  is owned 0755 by user keystone (perhaps this should also be restricted
  to 0600?)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/900553/+subscriptions