security: default ownership and permissions
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
aodh (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
barbican (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
cinder (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
designate (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
glance (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
gnocchi (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
heat (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
ironic (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
ironic-inspector (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
keystone (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
magnum (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
manila (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
masakari (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
masakari-monitors (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
mistral (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
murano (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
murano-agent (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
neutron (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
nova (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
octavia (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
openstack-trove (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
placement (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Focal |
Fix Committed
|
Undecided
|
Unassigned | ||
python-glance-store (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
sahara (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
senlin (Ubuntu) |
Triaged
|
Medium
|
Unassigned | ||
swift (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
watcher (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
zaqar (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
zvmcloudconnector (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
Package should security directories and files as below:
chown <pkg>:adm /var/log/<pkg>
chmod 0750 /var/log/<pkg>
find /etc/<pkg> -exec chown root:<pkg> "{}" +
find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
# Optional rootwrap.d configuration files.
find /etc/<pkg>
find /etc/<pkg>
find /var/lib/<pkg> -exec chown <pkg>:<pkg> "{}" +
find /var/lib/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
For keystone, /etc/ files/directories should be owned by keystone:keystone: https:/
[Test Case]
Regression testing via juju deployed openstack + tempest or autopkgtests for uncharmed projects.
[Regression Potential]
Low, the same pattern has been used across all affected openstack packages. The changes landed in focal-proposed packages earlier in the cycle for OpenStack and has received a lot of testing.
Changed in aodh (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in barbican (Ubuntu): | |
status: | New → Confirmed |
status: | Confirmed → Triaged |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
Changed in cinder (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in designate (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in glance (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
Changed in gnocchi (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
description: | updated |
description: | updated |
Changed in python-glance-store (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
no longer affects: | python-glance-store (Ubuntu) |
Changed in python-glance-store (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
description: | updated |
Changed in masakari-monitors (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in murano (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in murano-agent (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in magnum (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in ironic-inspector (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
Changed in zvmcloudconnector (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Triaged |
description: | updated |
tags: | added: verification-done verification-done-focal |
Changed in placement (Ubuntu Focal): | |
status: | New → Fix Committed |
no longer affects: | aodh (Ubuntu Focal) |
no longer affects: | barbican (Ubuntu Focal) |
no longer affects: | cinder (Ubuntu Focal) |
no longer affects: | glance (Ubuntu Focal) |
no longer affects: | designate (Ubuntu Focal) |
no longer affects: | gnocchi (Ubuntu Focal) |
no longer affects: | heat (Ubuntu Focal) |
no longer affects: | ironic (Ubuntu Focal) |
no longer affects: | ironic-inspector (Ubuntu Focal) |
no longer affects: | keystone (Ubuntu Focal) |
no longer affects: | magnum (Ubuntu Focal) |
no longer affects: | manila (Ubuntu Focal) |
no longer affects: | masakari (Ubuntu Focal) |
no longer affects: | masakari-monitors (Ubuntu Focal) |
no longer affects: | mistral (Ubuntu Focal) |
no longer affects: | murano-agent (Ubuntu Focal) |
no longer affects: | murano (Ubuntu Focal) |
no longer affects: | neutron (Ubuntu Focal) |
no longer affects: | nova (Ubuntu Focal) |
no longer affects: | octavia (Ubuntu Focal) |
no longer affects: | openstack-trove (Ubuntu Focal) |
no longer affects: | python-glance-store (Ubuntu Focal) |
no longer affects: | senlin (Ubuntu Focal) |
no longer affects: | swift (Ubuntu Focal) |
no longer affects: | sahara (Ubuntu Focal) |
no longer affects: | watcher (Ubuntu Focal) |
no longer affects: | zaqar (Ubuntu Focal) |
no longer affects: | zvmcloudconnector (Ubuntu Focal) |
Latest version of CIS benchmark allows /usr/sbin/nologin or /bin/false for system user account shell configuration so dropping this requirement in this bug.