Within the OpenStack keystone package the file /etc/keystone/ec2rc is world readable and contains: === ADMIN_ACCESS=109a7daa83054fc58ec8ade83b114117 ADMIN_SECRET=3bbbcba9514e4e8e8d0eb9e528754091 DEMO_ACCESS=81c2326383e34b888e0589057bc7fae2 DEMO_SECRET=ceb87a47838a442ea2923ad1bd6f0a16 === Also please note that the /etc/keystone/ directory should probably not be world readable at all.
/etc/keystone/ec2rc is not included in openstack-keystone RPM, it's produced by sample_data.sh script https://github.com/openstack/keystone/blob/master/tools/sample_data.sh#L259 We'll patch that part out, neither sample script nor ec2rc file is documented in our guide: https://access.redhat.com/knowledge/docs/en-US/Red_Hat_OpenStack_Preview/1/html/Getting_Started_Guide/index.html
Created attachment 641626 [details] Proposed patch
> Also please note that the /etc/keystone/ directory should probably not be world readable at all. Instead of proposed patch, we cloud just fix that in spec: -%dir %{_sysconfdir}/keystone +%dir %attr{0750, root, keystone} %{_sysconfdir}/keystone
Created openstack-keystone tracking bugs for this issue Affects: epel-6 [bug 876287]
python-keystoneclient-0.1.3.27-1.el6, python-glanceclient-0.5.1-1.el6, python-websockify-0.2.0-1.el6, novnc-0.4-2.el6, python-prettytable-0.6.1-1.el6, openstack-quantum-2012.2-2.el6, python-quantumclient-2.1.1-0.el6, python-cinderclient-0.2.26-1.el6, python-novaclient-2.9.0-1.el6, python-django-openstack-auth-1.0.2-3.el6, openstack-nova-2012.2-2.el6, openstack-cinder-2012.2-3.el6, openstack-utils-2012.2-6.el6, openstack-glance-2012.2-3.el6, python-django-horizon-2012.2-4.el6, openstack-keystone-2012.2-5.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Acknowledgements: This issue was discovered by Kurt Seifried of the Red Hat Security Response Team.
This issue has been addressed in following products: OpenStack Essex for RHEL 6 Via RHSA-2012:1556 https://rhn.redhat.com/errata/RHSA-2012-1556.html
openstack-keystone-2012.1.3-3.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.