1149688 – /var/log/neutron/ and all logs within it are world readable.

Bug 1149688 - /var/log/neutron/ and all logs within it are world readable.

Summary: /var/log/neutron/ and all logs within it are world readable.

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-neutron
Sub Component:
Version:	5.0 (RHEL 6)
Hardware:	x86_64
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	z3
Target Release:	5.0 (RHEL 6)
Assignee:	Ihar Hrachyshka
QA Contact:	Toni Freger
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1163424
TreeView+	depends on / blocked

Reported:	2014-10-06 13:14 UTC by Lee Yarwood
Modified:	2023-02-22 23:02 UTC (History)
CC List:	8 users (show)
Fixed In Version:	openstack-neutron-2014.1.3-9.el6ost openstack-neutron-2014.1.3-8.el7ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1163424 (view as bug list)
Environment:
Last Closed:	2014-12-02 16:48:53 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	OSP-16499	0	None	None	None	2022-07-09 07:05:00 UTC
Red Hat Product Errata	RHSA-2014:1938	0	normal	SHIPPED_LIVE	Moderate: openstack-neutron security and bug fix update	2014-12-02 21:48:36 UTC

Description Lee Yarwood 2014-10-06 13:14:57 UTC

Description of problem:

/var/log/neutron/ and all logs within it are world readable. These logs can contain sensitive information and should have access restricted as much as possible.

Version-Release number of selected component (if applicable):
openstack-neutron-2014.1.2-4.

Comment 1 Ihar Hrachyshka 2014-10-07 16:58:13 UTC

Though I agree that we should limit access to log directory as much as possible, the issue is not Neutron specific, and is present in other components (I've checked Nova, Ceilometer; I expect other components to follow the example). So we need to determine how to properly handle that project wide.

Comment 2 Lee Yarwood 2014-10-07 20:03:04 UTC

(In reply to Ihar Hrachyshka from comment #1)
> Though I agree that we should limit access to log directory as much as
> possible, the issue is not Neutron specific, and is present in other
> components (I've checked Nova, Ceilometer; I expect other components to
> follow the example). So we need to determine how to properly handle that
> project wide.

Agreed, however the customer cited Neutron in the case thus the specific bug. Shall we create an overall tracker to audit the permissions of all openstack service logs and keep this one targeted at Neutron?

Comment 6 Ihar Hrachyshka 2014-10-30 16:12:42 UTC

@Perry, I'm all for tracking the issue in all projects though I'm not the one to decide, clone and track all of them.

As for puppet, I think the proper way is to make sure puppet modules do *not* touch any directories and rely on proper packaging. Yes, the clone for puppet-modules will also be needed to track that.

Comment 11 Toni Freger 2014-11-16 06:25:25 UTC

Have tested in Rhe7 
openstack-neutron-2014.1.3-8.el7ost.noarch

/var/log/neutron directory is chmod 750 
drwxr-x---. 2 neutron    neutron    4096 Nov 13 15:27 neutron

Comment 14 errata-xmlrpc 2014-12-02 16:48:53 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2014-1938.html

Note You need to log in before you can comment on or make changes to this bug.