Bug 1229302 - /etc/puppet/hieradata/compute.yaml is world readable with plain text passwords
Summary: /etc/puppet/hieradata/compute.yaml is world readable with plain text passwords
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-puppet-elements
Version: Director
Hardware: Unspecified
OS: Unspecified
Target Milestone: ga
: Director
Assignee: James Slagle
QA Contact: Attila Fazekas
Depends On:
TreeView+ depends on / blocked
Reported: 2015-06-08 12:21 UTC by Attila Fazekas
Modified: 2015-08-27 05:49 UTC (History)
14 users (show)

Fixed In Version: openstack-tripleo-puppet-elements-0.0.1-2
Doc Type: Bug Fix
Doc Text:
The os-apply-config command created /etc/puppet/hieradata with open permissions. The files in this directory contained passwords and tokens that could provide unauthorized access to the OpenStack installation. This fix sets /etc/puppet/hieradata as a root-owned directory with 0700 permissions. Only the root user can access /etc/puppet/hieradata, which provides a more secure installation.
Clone Of:
Last Closed: 2015-08-05 13:52:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
OpenStack gerrit 183509 None None None Never
OpenStack gerrit 198158 None None None Never
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Comment 5 James Slagle 2015-07-07 20:31:22 UTC
i'm unable to reproduce this using the provided images from 2015-06-26

it should have been addressed by:

Steve, I commented on the upstream review, but I don't think changing the umask from 077 to 0077 actually makes any difference.

I think this was fixed by Derek's earlier patch and that just hadn't made it into the image builds when this was first reported on 2015-06-08

Comment 6 James Slagle 2015-07-07 20:34:12 UTC
note that https://review.openstack.org/183509 was in the 0.0.1 release of tripleo-puppet-elements and built into openstack-tripleo-puppet-elements-0.0.1-2

Comment 7 Steve Baker 2015-07-08 00:03:01 UTC
Permissions on /etc/puppet/hieradata look good now on puddle 2015-07-02-1.

I have abandoned the upstream change.

Comment 8 James Slagle 2015-07-08 19:04:12 UTC
qe: please retest this and confirm permissions are 0700 on /etc/puppet/hieradata on the overcloud nodes

Comment 10 Attila Fazekas 2015-07-15 13:47:43 UTC
Now I created a deployment with http://rhos-release.virt.bos.redhat.com/mburns/2015-07-13.1/images/ .

The n-cpu node seams ok.
[heat-admin@overcloud-compute-0 ~]$ ls -ld /etc/puppet/hieradata/
drwx------. 2 root root 4096 Jul 15 09:09 /etc/puppet/hieradata/

Comment 11 Mike Burns 2015-07-15 13:55:41 UTC
Atilla -- we should mark this verified, not closed currentrelease.

Comment 12 Attila Fazekas 2015-07-21 14:18:24 UTC
os-refresh-config creates the directory with 700 at the first run,
but it does not changes the permission if the  directory already exists with wrong permission.

The directory does not exists on the base images.
So, If anyone has a system installed from the old images, he needs to change permissions manually, the newly installed systems expected to be ok.

Comment 14 errata-xmlrpc 2015-08-05 13:52:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.