Bug 1229302
Summary: | /etc/puppet/hieradata/compute.yaml is world readable with plain text passwords | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Attila Fazekas <afazekas> |
Component: | openstack-tripleo-puppet-elements | Assignee: | James Slagle <jslagle> |
Status: | CLOSED ERRATA | QA Contact: | Attila Fazekas <afazekas> |
Severity: | unspecified | Docs Contact: | |
Priority: | high | ||
Version: | Director | CC: | afazekas, calfonso, dmacpher, jruzicka, jslagle, mburns, ohochman, pbrady, rhel-osp-director-maint, rrosa, sbaker, sclewis, yeylon |
Target Milestone: | ga | Keywords: | Reopened, Triaged |
Target Release: | Director | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | openstack-tripleo-puppet-elements-0.0.1-2 | Doc Type: | Bug Fix |
Doc Text: |
The os-apply-config command created /etc/puppet/hieradata with open permissions. The files in this directory contained passwords and tokens that could provide unauthorized access to the OpenStack installation. This fix sets /etc/puppet/hieradata as a root-owned directory with 0700 permissions. Only the root user can access /etc/puppet/hieradata, which provides a more secure installation.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2015-08-05 13:52:53 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Comment 5
James Slagle
2015-07-07 20:31:22 UTC
note that https://review.openstack.org/183509 was in the 0.0.1 release of tripleo-puppet-elements and built into openstack-tripleo-puppet-elements-0.0.1-2 Permissions on /etc/puppet/hieradata look good now on puddle 2015-07-02-1. I have abandoned the upstream change. qe: please retest this and confirm permissions are 0700 on /etc/puppet/hieradata on the overcloud nodes Now I created a deployment with http://rhos-release.virt.bos.redhat.com/mburns/2015-07-13.1/images/ . The n-cpu node seams ok. [heat-admin@overcloud-compute-0 ~]$ ls -ld /etc/puppet/hieradata/ drwx------. 2 root root 4096 Jul 15 09:09 /etc/puppet/hieradata/ Atilla -- we should mark this verified, not closed currentrelease. os-refresh-config creates the directory with 700 at the first run, but it does not changes the permission if the directory already exists with wrong permission. The directory does not exists on the base images. So, If anyone has a system installed from the old images, he needs to change permissions manually, the newly installed systems expected to be ok. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2015:1549 |