/var/log/nova/* is world-readable
Bug #862816 reported by
Adam Gandelman
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
nova (Ubuntu) |
Fix Released
|
High
|
Adam Gandelman | ||
Oneiric |
Fix Released
|
High
|
Adam Gandelman |
Bug Description
The default nova.conf ships with '--verbose' enabled by default. When set, each nova-* component logs all configuration flags to their respective logfile in /var/log/nova/, including any credentials stored in nova.conf (see attachment). If '--verbose' logging is to be enabled by default, permissions of logfiles in /var/log/nova should be restricted to match those of nova.conf (0600, nova:nova)
Changed in nova (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in nova (Ubuntu Oneiric): | |
milestone: | none → ubuntu-11.10 |
tags: | added: server-o-rs |
Changed in nova (Ubuntu Oneiric): | |
assignee: | nobody → Adam Gandelman (gandelman-a) |
To post a comment you must log in.
This is both a packaging problem and a Nova bug. Packaging should override the default logfile mode (0644) in nova.conf via the --logfile_mode flag, however, this option does not seem to function as it should (Bug #862969).