Derek Higgins (derekh) reports:
puppetlabs-cinder / manifests / base.pp as used in OpenStack packstack uses
unsafe file permissions (mode 0644) for various config files (cinder.conf and
api-paste.ini) which can result in authorization credentials being exposed to
mode => '0644',
Fix for this issue:
This covers cinder.conf but I think api-paste.ini should also be included. It contains the cinder auth credentials for keystone.
This issue was discovered by Derek Higgins of the Red Hat OpenStack team.
This issue has been addressed in following products:
OpenStack Folsom for RHEL 6
Via RHSA-2013:0595 https://rhn.redhat.com/errata/RHSA-2013-0595.html