[SRU] local_settings.py is world readable and contains passwords
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard Charm |
Fix Released
|
Critical
|
Unassigned | ||
Ubuntu Cloud Archive |
Invalid
|
Undecided
|
Unassigned | ||
Kilo |
Fix Released
|
Critical
|
Corey Bryant | ||
Mitaka |
Fix Released
|
Critical
|
Corey Bryant | ||
Newton |
Fix Released
|
Critical
|
Corey Bryant | ||
Ocata |
Fix Released
|
Critical
|
Corey Bryant | ||
Pike |
Fix Released
|
Critical
|
Unassigned | ||
designate-dashboard (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Artful |
Fix Released
|
Critical
|
Corey Bryant | ||
horizon (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Trusty |
Fix Released
|
Critical
|
Corey Bryant | ||
Xenial |
Fix Released
|
Critical
|
Corey Bryant | ||
murano-dashboard (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Critical
|
Unassigned | ||
Artful |
Fix Released
|
Critical
|
Unassigned | ||
neutron-lbaas-dashboard (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
sahara-dashboard (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Critical
|
Unassigned | ||
Artful |
Fix Released
|
Critical
|
Corey Bryant | ||
trove-dashboard (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Critical
|
Unassigned | ||
Artful |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Impact]
nobody@
'PASSWORD': 'yNXwml0TXuWjcW
#EMAIL_
#OPENSTACK_
OPENSTACK_
#ENFORCE_
nobody@
Needless to say, I should not be able to see passwords as 'nobody'.
This is on a customer site, but I've reproduced at least the world readableness with a fresh deploy of cs:openstack-
This release sports mostly bug-fixes and we would like to make sure all of our
supported customers have access to these improvements.
The update contains the following package updates:
* <TODO: Create list with package names and versions>
[Test Case]
apt install openstack-dashboard
sudo ls -al /etc/openstack-
permissions should be:
-rw-r----- 1 root horizon 30995 Mar 13 14:12 local_settings.py
sudo ls -al /var/lib/
[Regression Potential]
Very minimal regression potential. The fix is already in artful/pike and bionic/queens.
[Discussion]
The following comment is copied from comment #30 below but important to call out for SRU review:
coreycb: I've uploaded designate-
Changed in charm-openstack-dashboard: | |
milestone: | none → 18.05 |
assignee: | nobody → Corey Bryant (corey.bryant) |
importance: | Undecided → Critical |
tags: | added: uosci |
description: | updated |
Changed in cloud-archive: | |
assignee: | nobody → Corey Bryant (corey.bryant) |
Changed in horizon (Ubuntu Trusty): | |
assignee: | nobody → Corey Bryant (corey.bryant) |
Changed in horizon (Ubuntu Xenial): | |
assignee: | nobody → Corey Bryant (corey.bryant) |
Changed in charm-openstack-dashboard: | |
status: | Confirmed → Invalid |
Changed in charm-openstack-dashboard: | |
importance: | Critical → Undecided |
assignee: | Corey Bryant (corey.bryant) → nobody |
milestone: | 18.05 → none |
Changed in cloud-archive: | |
assignee: | Corey Bryant (corey.bryant) → nobody |
Changed in sahara-dashboard (Ubuntu): | |
importance: | Undecided → Critical |
status: | New → Triaged |
assignee: | nobody → Corey Bryant (corey.bryant) |
assignee: | Corey Bryant (corey.bryant) → nobody |
importance: | Critical → Undecided |
status: | Triaged → Invalid |
Changed in sahara-dashboard (Ubuntu Artful): | |
assignee: | nobody → Corey Bryant (corey.bryant) |
importance: | Undecided → Critical |
status: | New → Triaged |
no longer affects: | horizon (Ubuntu Artful) |
description: | updated |
description: | updated |
information type: | Private Security → Public Security |
no longer affects: | trove-dashboard (Ubuntu) |
Changed in trove-dashboard (Ubuntu): | |
status: | New → Invalid |
Changed in neutron-lbaas-dashboard (Ubuntu): | |
status: | New → Invalid |
Changed in murano-dashboard (Ubuntu): | |
status: | New → Invalid |
Changed in trove-dashboard (Ubuntu Xenial): | |
importance: | Undecided → Critical |
Changed in trove-dashboard (Ubuntu Artful): | |
importance: | Undecided → Critical |
Changed in murano-dashboard (Ubuntu Xenial): | |
importance: | Undecided → Critical |
Changed in murano-dashboard (Ubuntu Artful): | |
importance: | Undecided → Critical |
Changed in sahara-dashboard (Ubuntu Xenial): | |
importance: | Undecided → Critical |
Changed in charm-openstack-dashboard: | |
status: | Triaged → Fix Released |
I've just confirmed this at a site with 17.02 charms, and indeed the perms on the file are -rw-r--r--