Bug 1461139 - Neutron file permissions and ownership do not follow upstream OpenStack security guide -- what is the impact?
Neutron file permissions and ownership do not follow upstream OpenStack secur...
Status: NEW
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-neutron (Show other bugs)
9.0 (Mitaka)
Unspecified Unspecified
low Severity medium
: ---
: 9.0 (Mitaka)
Assigned To: Assaf Muller
Toni Freger
: Triaged, ZStream
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-06-13 11:39 EDT by jliberma@redhat.com
Modified: 2017-09-18 14:24 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description jliberma@redhat.com 2017-06-13 11:39:47 EDT
Description of problem:

The upstream OpenStack security guide recommends certain permissions and file ownerships:

OSP 9 does not follow some of the permissins and ownerships. Either this should be addressed as a security bug or we should explain the rationale for the looser settings.


Current results:

Current standing for Neutron:
[root@overcloud-novacompute-0 keystone]# stat -c "%a %n" /etc/neutron/*
755 /etc/neutron/conf.d
640 /etc/neutron/dhcp_agent.ini
640 /etc/neutron/l2gateway_agent.ini
640 /etc/neutron/l2gw_plugin.ini
640 /etc/neutron/l3_agent.ini
640 /etc/neutron/lbaas_agent.ini
640 /etc/neutron/metadata_agent.ini
640 /etc/neutron/metering_agent.ini
640 /etc/neutron/networking_bgpvpn.conf
640 /etc/neutron/neutron.conf
640 /etc/neutron/neutron_lbaas.conf
777 /etc/neutron/plugin.ini
755 /etc/neutron/plugins
755 /etc/neutron/policy.d
640 /etc/neutron/policy.json
644 /etc/neutron/rootwrap.conf
640 /etc/neutron/services_lbaas.conf 

Some files are owned by root rather than the service user / group.

Additional info:

https://docs.openstack.org/security-guide/networking/checklist.html
Comment 1 Assaf Muller 2017-07-06 17:50:58 EDT
In order to know where we want to be, we have to know where we are, as consistency between the different OpenStack services is also a consideration. Here is file permissions / user / group output for various OpenStack services from an OSP 12 / master undercloud node:

> stat -c "%a %G %U %n" /etc/glance/*
640 glance root /etc/glance/glance-api.conf
640 glance root /etc/glance/glance-cache.conf
640 glance root /etc/glance/glance-registry.conf
640 glance root /etc/glance/glance-scrubber.conf
644 root root /etc/glance/glance-swift.conf
755 root root /etc/glance/metadefs
640 glance root /etc/glance/policy.json
755 root root /etc/glance/rootwrap.d
640 glance root /etc/glance/schema-image.json

> stat -c "%a %G %U %n" /etc/nova/*
640 nova root /etc/nova/api-paste.ini
640 nova root /etc/nova/nova.conf
640 nova root /etc/nova/policy.json
644 root root /etc/nova/release
640 nova root /etc/nova/rootwrap.conf

> stat -c "%a %G %U %n" /etc/ironic/*
640 ironic root /etc/ironic/ironic.conf
640 ironic root /etc/ironic/policy.json
640 ironic root /etc/ironic/rootwrap.conf
755 ironic root /etc/ironic/rootwrap.d

> stat -c "%a %G %U %n" /etc/neutron/*
755 root root /etc/neutron/conf.d
640 neutron root /etc/neutron/dhcp_agent.ini
640 neutron root /etc/neutron/l3_agent.ini
640 neutron root /etc/neutron/metadata_agent.ini
640 neutron root /etc/neutron/neutron.conf
777 root root /etc/neutron/plugin.ini
755 root root /etc/neutron/plugins
640 neutron root /etc/neutron/policy.json
644 root root /etc/neutron/rootwrap.conf

> stat -c "%a %G %U %n" /etc/mistral/*
640 mistral mistral /etc/mistral/logging.conf
640 mistral mistral /etc/mistral/mistral.conf
640 mistral mistral /etc/mistral/policy.json
640 mistral mistral /etc/mistral/wf_trace_logging.conf

> stat -c "%a %G %U %n" /etc/zaqar/*
644 root root /etc/zaqar/1.conf
640 zaqar root /etc/zaqar/logging.conf
640 zaqar root /etc/zaqar/policy.json
640 zaqar root /etc/zaqar/zaqar.conf

> sudo stat -c "%a %G %U %n" /etc/heat/*
755 root root /etc/heat/environment.d
640 heat root /etc/heat/heat.conf
640 heat root /etc/heat/policy.json
755 root root /etc/heat/templates

Keystone wouldn't let me stat it's directory, as the root user:
> stat -c "%a %G %U %n" /etc/keystone/*
700 keystone keystone /etc/keystone/credential-keys
640 keystone root /etc/keystone/default_catalog.templates
700 keystone keystone /etc/keystone/fernet-keys
640 keystone root /etc/keystone/keystone.conf
640 keystone root /etc/keystone/keystone-paste.ini
640 keystone root /etc/keystone/logging.conf
640 keystone root /etc/keystone/policy.json
640 keystone keystone /etc/keystone/sso_callback_template.html

To conclude, we have a very diverse set of actors. I'll start a discussion on rhos-dev to see what direction we'd like to set here.

Note You need to log in before you can comment on or make changes to this bug.