OpenStack Compute (nova)

nova.conf should not be world-readable

Bug #798878 reported by Al Stone
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Invalid
High
Unassigned
nova (Ubuntu)
Fix Released
High
Chuck Short

Bug Description

nova.conf usually contains database passwords, so it should not be world-readable. However if nova.conf is not world-readable, nova-* components can't start.

---
I'm seeing this problem in the natty version of nova; it appears the only workaround for now is:

chmod o+r /etc/nova/nova.conf

which I'd really rather not do since it can leak the MySQL password. If I do make the change, however, all the services start properly.

See original description
Revision history for this message
Chuck Short (zulcss) wrote :

This is in cactus I believe correct?

Revision history for this message
Al Stone (ahs3) wrote :

Correct: cactus, all packages from natty.

nova# COLUMNS=120 dpkg -l nova-*
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Description
+++-========================-========================-================================================================
ii nova-api 2011.2-0ubuntu1 OpenStack Compute - Nova - API frontend
ii nova-common 2011.2-0ubuntu1 OpenStack Compute - Nova - common files
ii nova-compute 2011.2-0ubuntu1 OpenStack Compute - Nova - compute node
ii nova-doc 2011.2-0ubuntu1 OpenStack Compute - Nova - documetation
ii nova-network 2011.2-0ubuntu1 OpenStack Compute - Nova - Network thingamajig
ii nova-objectstore 2011.2-0ubuntu1 OpenStack Compute - Nova - object store
ii nova-scheduler 2011.2-0ubuntu1 OpenStack Compute - Nova - Scheduler

Revision history for this message
Thierry Carrez (ttx) wrote :

How about letting just the nova group read the file:

$ sudo chgrp nova /etc/nova/nova.conf
$ sudo chmod 640 /etc/nova/nova.conf

Changed in nova:
status: New → Incomplete
Revision history for this message
Al Stone (ahs3) wrote :

I made sure all was up and working -- I could start and stop instances, and run the dashboard, for example -- and then did:

   $ sudo chmod 640 /etc/nova/nova.conf

Group was already set to nova. I then restarted daemons, and got no info in the logs. I then rebooted the system and the daemons would all seem to start, but again none of them provided syslog info, nor did they seem to accumulate CPU time. As soon as I did:

   $ sudo chmod 644 /etc/nova/nova.conf

the daemons all started generating syslog information and accumulating CPU time.

Revision history for this message
Soren Hansen (soren) wrote :

Who owns /etc/nova/nova.conf ?

Revision history for this message
Thierry Carrez (ttx) wrote :

My suggestion was bogus, since there is no "nova" group on the system. The config file should be nova:root 600 in order to be nova-readable without being world-readable. Editing title and description

summary: - nova-XXX respawns constantly -- [Errno 111] Connection refused
+ nova.conf should not be world-readable
description: updated
Changed in nova:
importance: Undecided → High
status: Incomplete → Confirmed
security vulnerability: no → yes
Revision history for this message
Thierry Carrez (ttx) wrote :

This is actually a packaging bug.

Changed in nova (Ubuntu):
importance: Undecided → High
status: New → Confirmed
Changed in nova:
status: Confirmed → Invalid
Thierry Carrez (ttx)
Changed in nova (Ubuntu):
status: Confirmed → Triaged
Thierry Carrez (ttx)
Changed in nova (Ubuntu):
assignee: nobody → Thierry Carrez (ttx)
status: Triaged → Fix Committed
Thierry Carrez (ttx)
Changed in nova (Ubuntu):
assignee: Thierry Carrez (ttx) → Chuck Short (zulcss)
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.