Bug 1229699 - /etc/os-collect-config.conf is world readable and contains credentials to openstack
Summary: /etc/os-collect-config.conf is world readable and contains credentials to ope...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-tripleo-image-elements
Version: 7.0 (Kilo)
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: ga
: Director
Assignee: James Slagle
QA Contact: Attila Fazekas
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-06-09 13:05 UTC by Attila Fazekas
Modified: 2015-08-05 13:52 UTC (History)
9 users (show)

Fixed In Version: openstack-tripleo-image-elements-0.9.6-6.el7ost
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-08-05 13:52:58 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
OpenStack gerrit 198155 None None None Never
Red Hat Product Errata RHEA-2015:1549 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform director Release 2015-08-05 17:49:10 UTC

Comment 4 Attila Fazekas 2015-07-21 12:47:44 UTC
The change did not changed the permission on the image, but
the permission changes on the first os-apply-config (first boot)

Is it guaranteed in this way the file permission changes before it gets the credentials ? If not, can it be an issue ?

Comment 5 Attila Fazekas 2015-07-21 13:09:35 UTC
The final write sequence according to my strace.:

11212 open("/etc/tmp1ywvKu", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3
....
11212 chmod("/etc/tmp1ywvKu", 0600)     = 0
11212 chown("/etc/tmp1ywvKu", 0, 0)     = 0
11212 rename("/etc/tmp1ywvKu", "/etc/os-collect-config.conf") = 0

Comment 7 errata-xmlrpc 2015-08-05 13:52:58 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2015:1549


Note You need to log in before you can comment on or make changes to this bug.