Bug 1149688
Summary: | /var/log/neutron/ and all logs within it are world readable. | |||
---|---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Lee Yarwood <lyarwood> | |
Component: | openstack-neutron | Assignee: | Ihar Hrachyshka <ihrachys> | |
Status: | CLOSED ERRATA | QA Contact: | Toni Freger <tfreger> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 5.0 (RHEL 6) | CC: | ajeain, chrisw, ebarrera, ihrachys, lhh, mlopes, nyechiel, yeylon | |
Target Milestone: | z3 | Keywords: | ZStream | |
Target Release: | 5.0 (RHEL 6) | |||
Hardware: | x86_64 | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | openstack-neutron-2014.1.3-9.el6ost openstack-neutron-2014.1.3-8.el7ost | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1163424 (view as bug list) | Environment: | ||
Last Closed: | 2014-12-02 16:48:53 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1163424 |
Description
Lee Yarwood
2014-10-06 13:14:57 UTC
Though I agree that we should limit access to log directory as much as possible, the issue is not Neutron specific, and is present in other components (I've checked Nova, Ceilometer; I expect other components to follow the example). So we need to determine how to properly handle that project wide. (In reply to Ihar Hrachyshka from comment #1) > Though I agree that we should limit access to log directory as much as > possible, the issue is not Neutron specific, and is present in other > components (I've checked Nova, Ceilometer; I expect other components to > follow the example). So we need to determine how to properly handle that > project wide. Agreed, however the customer cited Neutron in the case thus the specific bug. Shall we create an overall tracker to audit the permissions of all openstack service logs and keep this one targeted at Neutron? @Perry, I'm all for tracking the issue in all projects though I'm not the one to decide, clone and track all of them. As for puppet, I think the proper way is to make sure puppet modules do *not* touch any directories and rely on proper packaging. Yes, the clone for puppet-modules will also be needed to track that. Have tested in Rhe7 openstack-neutron-2014.1.3-8.el7ost.noarch /var/log/neutron directory is chmod 750 drwxr-x---. 2 neutron neutron 4096 Nov 13 15:27 neutron Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2014-1938.html |