Bug 1217089

Summary: Dashboard's local_settings file should not be world readable
Product: Red Hat OpenStack Reporter: Fabien Malfoy <keldrill>
Component: openstack-packstackAssignee: Ivan Chavero <ichavero>
Status: CLOSED ERRATA QA Contact: Ido Ovadia <iovadia>
Severity: high Docs Contact:
Priority: high    
Version: 6.0 (Juno)CC: aortega, dmsimard, dnavale, ichavero, mmagr, sclewis, yeylon
Target Milestone: z4Keywords: Triaged, ZStream
Target Release: 7.0 (Kilo)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-2015.1-0.15.dev1589.g1d6372f.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-18 16:45:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Fabien Malfoy 2015-04-29 14:09:26 UTC 
Description of problem:
The file /etc/openstack-dashboard/local_settings contains some security values which should not be publicly disclosed like the SECRET_KEY. According to the documentation of Django, this value should remain secret : https://docs.djangoproject.com/en/dev/ref/settings/#secret-key

Version-Release number of selected component (if applicable):
openstack-packstack-2014.2-0.16.dev1401.gdd19d48.el7ost.noarch
openstack-dashboard-2014.2.2-2.el7ost.noarch

How reproducible:
Installing Openstack Horizon using Packstack

Steps to Reproduce:
1. Install Packstack
2. Install Openstack Horizon using Packstack

Actual results:
The file /etc/openstack-dashboard/local_settings gets mode 644

Expected results:
The file's mode should be 640 to preserve its content

Additional info:
Log message from horizon.pp
Notice: /Stage[main]/Horizon/File[/etc/openstack-dashboard/local_settings]/mode: mode changed '0640' to '0644'
Comment 4 Ivan Chavero 2015-12-08 07:34:18 UTC 
Can i have qa and pm acks please?
Comment 7 Ido Ovadia 2016-01-24 19:44:33 UTC 
Verified
========
openstack-packstack-2015.1-0.15.dev1589.g1d6372f.el7ost.noarch
Comment 10 errata-xmlrpc 2016-02-18 16:45:52 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0265.html
Comment 11 David Moreau Simard 2016-03-18 21:57:05 UTC 
The security fix has been sent to the upstream puppet-horizon module that Packstack consumes [1]. Once the patch lands there, we will revert the fix in Packstack [2] as it will no longer be necessary.

[1]: https://review.openstack.org/#/c/294823/
[2]: https://review.openstack.org/#/c/294825/
Comment 12 Red Hat Bugzilla 2023-09-18 00:11:26 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days