Bug 1163419

Summary: Adjust log permissions to 0750 for openstack-heat
Product: Red Hat OpenStack Reporter: Lon Hohberger <lhh>
Component: openstack-heatAssignee: Jeff Peeler <jpeeler>
Status: CLOSED ERRATA QA Contact: Amit Ugol <augol>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.0 (RHEL 7)CC: ajeain, ddomingo, jpeeler, sbaker, scohen, shardy, yeylon
Target Milestone: z4Keywords: EasyFix, ZStream
Target Release: 5.0 (RHEL 7)Flags: ddomingo: needinfo+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-heat-2014.1.3-2.el6ost openstack-heat-2014.1.3-3.el7ost Doc Type: Bug Fix
Doc Text:
The logs for the Orchestration service are stored in the /var/log/heat directory. In previous releases, this directory was readably by all. This update restricts readability of /var/log/heat to only user and group (0750). (BZ#1163419)
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-04-16 14:04:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1163424    

Description Lon Hohberger 2014-11-12 16:42:13 UTC 
The spec file for openstack-heat sets the permissions for /var/log/heat directory to 0755, which is world-readable.  To maintain consistency, please set this to 0750.  See bug 1149688 for more details.  In the RPM spec file in the %files section, you can use the following:

%dir %attr(0750, heat, heat) %{_localstatedir}/log/heat

(Owner/Group are examples and may be different for this component)
Comment 1 Lon Hohberger 2014-11-12 16:51:08 UTC 
The intent here is to tighten up access on /var/log directories and files.  Note that, apart from the RPM spec files, it's possible some OpenStack components may be setting permissions incorrectly as well.

It also may be the case that this component has a valid need to have its /var/log directory world-readable.  If that is the case, please close this bugzilla.
Comment 5 Amit Ugol 2015-03-31 11:45:16 UTC 
Verified on 2014.1.4
Comment 7 errata-xmlrpc 2015-04-16 14:04:41 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-0827.html