Derek Higgins (derekh) of Red Hat reports: packstack creates a answerfile containing configuration details for an openstack deployment. But after a recent comment in https://bugzilla.redhat.com/show_bug.cgi?id=906410 [Open URL] comment 4, I reviewed the code on how it is generated. The file was being opened, written to and then the mode was being changed to 600: https://github.com/stackforge/packstack/blob/07a7897038bee143630fd84e95b3a4f5c89a5b47/packstack/installer/run_setup.py def generateAnswerFile(outputFile, overrides={}): sep = os.linesep fmt = ("%(comment)s%(separator)s%(conf_name)s=%(default_value)s" "%(separator)s") outputFile = os.path.expanduser(outputFile) with open(outputFile, "w") as ans_file: ... os.chmod(outputFile, 0600) and the answer path is provided by: def _getanswerfilepath(): path = None msg = "Could not find a suitable path on which to create the answerfile" # We'll use the first path with # write permissions. Order matters. for p in ["./", "~/", "/tmp"]: if os.access(p, os.W_OK): path = os.path.abspath( The current directory "./" may be accessible to an attacker, and "/tmp" is definitely accessible to attackers. The file permissions should also be set securely prior to placing the information in it.
Fix merged upstream https://review.openstack.org/#/c/22986/
Acknowledgements: This issue was discovered by Derek Higgins of the Red Hat OpenStack team.
This issue has been addressed in following products: OpenStack Folsom for RHEL 6 Via RHSA-2013:0671 https://rhn.redhat.com/errata/RHSA-2013-0671.html