Bug 1296995

Summary: /var/lib/cinder/cinder-volumes is world-readable
Product: Red Hat OpenStack Reporter: Eric Harney <eharney>
Component: openstack-packstackAssignee: Ivan Chavero <ichavero>
Status: CLOSED ERRATA QA Contact: lkuchlan <lkuchlan>
Severity: high Docs Contact:
Priority: high    
Version: 8.0 (Liberty)CC: apevec, cvsbot-xmlrpc, jobernar, jpena, lhh, nlevinki, security-response-team
Target Milestone: asyncKeywords: Reopened, Triaged, ZStream
Target Release: 8.0 (Liberty)   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openstack-packstack-7.0.0-0.19.dev1702.g490e674.el7ost Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-29 13:57:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1346048    
Bug Blocks: 1297408    

Description Eric Harney 2016-01-08 16:30:10 UTC 
Description of problem:
Packstack allinone creates a /var/lib/cinder/cinder-volumes file which is used to host LVM data for Cinder users.  This file is created with permissions 644, but should be only readable by root, as it contains user data.  (It's only used to back a loopback device, not touched by Cinder itself.)

Version-Release number of selected component (if applicable):
openstack-packstack-7.0.0-0.8.dev1661.gaf13b7e.el7ost.noarch
Comment 7 Javier Peña 2016-06-10 16:11:12 UTC 
Note that openstack-packstack-7.0.0-0.18.dev1702.g490e674.el7ost caused https://bugzilla.redhat.com/show_bug.cgi?id=1344219 . It's going to be reverted until the fix described in that bz is packaged.
Comment 10 Alan Pevec 2016-06-15 21:57:51 UTC 
Fixed in Puppet modules, proper fix in Packstack was a revert of the previous patch.
Comment 11 Alan Pevec 2016-06-15 21:58:23 UTC 

*** This bug has been marked as a duplicate of bug 1346048 ***
Comment 13 lkuchlan 2016-06-23 08:38:16 UTC 
Tested using:
openstack-packstack-7.0.0-0.19.dev1702.g490e674.el7ost.noarch

[root@panther13 ~(keystone_admin)]# ls -l /var/lib/cinder/cinder-volumes
-rw-r-----. 1 root root 22118662144 Jun 23 10:44 /var/lib/cinder/cinder-volumes
Comment 15 errata-xmlrpc 2016-06-29 13:57:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1354