Permissions 0644 for '/var/lib/nova/.ssh/id_rsa' are too open
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Nova Compute Charm |
Invalid
|
Undecided
|
Unassigned | ||
Ubuntu Cloud Archive |
Fix Released
|
High
|
Unassigned | ||
Ussuri |
Fix Released
|
High
|
Unassigned | ||
Victoria |
Fix Released
|
High
|
Unassigned | ||
Wallaby |
Fix Released
|
High
|
Unassigned | ||
Xena |
Fix Released
|
High
|
Unassigned | ||
Yoga |
Fix Released
|
High
|
Unassigned | ||
Zed |
Fix Released
|
High
|
Unassigned | ||
nova (Ubuntu) |
Fix Released
|
High
|
Rodrigo Barbieri | ||
Focal |
Fix Released
|
High
|
Unassigned | ||
Impish |
Won't Fix
|
High
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Unassigned | ||
Kinetic |
Fix Released
|
High
|
Rodrigo Barbieri |
Bug Description
[Impact]
Charm revision: 320
Cloud: bionic-ussuri
Permissions 0644 for '/var/lib/
Load key "/var/lib/
nova@10.35.80.49: Permission denied (publickey).
This was preventing nova resizing:
/var/log/
Manually setting to 0600 fixed the issue.
Note (coreycb): It's important to note that /var/lib/nova/.ssh/ and files contained in that directory are not created by the package. Therefore the package should avoid changing permissions for this directory.
[Test Case]
Install a previous version of the nova-common package.
Setup ssh as described here (at least the creation of /var/lib/nova/.ssh/ files and chmod accordingly): https:/
Upgrade to the patched version of nova-common and confirm the /var/lib/nova/.ssh/ directory/file modes haven't changed.
[Regression Potential]
This is actually fixing a regression that was introduced to the package when we introduced the postinst code that does a blanket chmod to all of /var/lib/nova/. Assuming the test case above passes, I can't see any way for this to cause another regression.
Related branches
- Corey Bryant: Pending requested
-
Diff: 29 lines (+9/-1)2 files modifieddebian/changelog (+7/-0)
debian/nova-common.postinst (+2/-1)
CVE References
Changed in nova (Ubuntu): | |
assignee: | nobody → Felipe Reyes (freyes) |
Changed in charm-nova-compute: | |
status: | New → Invalid |
tags: | added: sts |
Changed in nova (Ubuntu): | |
assignee: | nobody → Rodrigo Barbieri (rodrigo-barbieri2010) |
description: | updated |
description: | updated |
description: | updated |
Changed in nova (Ubuntu Focal): | |
status: | New → Triaged |
Changed in nova (Ubuntu Impish): | |
status: | New → Triaged |
Changed in nova (Ubuntu Jammy): | |
status: | New → Triaged |
Changed in nova (Ubuntu Kinetic): | |
importance: | Undecided → High |
Changed in nova (Ubuntu Jammy): | |
importance: | Undecided → High |
Changed in nova (Ubuntu Impish): | |
importance: | Undecided → High |
Changed in nova (Ubuntu Focal): | |
importance: | Undecided → High |
Changed in cloud-archive: | |
status: | Fix Released → Fix Committed |
tags: |
added: verification-done-focal verification-done-ussuri verification-done-victoria verification-done-wallaby verification-done-xena verification-done-yoga removed: verification-focal-done verification-ussuri-done verification-victoria-done verification-wallaby-done verification-xena-done verification-yoga-done |
tags: |
added: verification-ussuri-done removed: verification-done-ussuri |
Also seen on cs:nova- compute- 327.