The openstack-swift package itself installs the file with the correct permissions, however a puppet script that runs as part of the install incorrectly removes and recreates the file with world-readable permissions.
Acknowledgments: Name: Hans Feldt (Ericsson)
Created attachment 1240008 [details] CVE-2016-9590 patch for puppet-swift
It should be noted that openstack-11 is not affected as upstream landed a change[0] in how these configuration files are updated. That being said, OSP8,OSP9 are affected via openstack-puppet-modules[1][2]. OSP7 should not be affected as it still had the permissions[3] [0] https://review.openstack.org/#/c/378950/ [1] https://github.com/redhat-openstack/openstack-puppet-modules/blob/stable/mitaka/swift/manifests/proxy.pp#L182-L186 [2] https://github.com/redhat-openstack/openstack-puppet-modules/blob/stable/liberty/swift/manifests/proxy.pp#L184-L188 [3] https://github.com/redhat-openstack/openstack-puppet-modules/blob/stable/kilo/swift/manifests/proxy.pp#L176-L181
Created puppet-swift tracking bugs for this issue: Affects: openstack-rdo [bug 1412837]
This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2017:0200 https://rhn.redhat.com/errata/RHSA-2017-0200.html
This issue has been addressed in the following products: Red Hat OpenStack Platform 8.0 (Liberty) Via RHSA-2017:0361 https://rhn.redhat.com/errata/RHSA-2017-0361.html
This issue has been addressed in the following products: Red Hat OpenStack Platform 9.0 (Mitaka) Via RHSA-2017:0359 https://rhn.redhat.com/errata/RHSA-2017-0359.html