Description of problem: The /etc/designate directory, /etc/designate/private, and /etc/designate/private/bind1.conf files are all world readable. This exposes the RNDC keys to anyone able access the container. Inside the container: $ ls -al /etc/designate/ total 88 drwxr-xr-x. 1 root root 80 Sep 11 17:41 . drwxr-xr-x. 1 root root 55 Sep 11 17:41 .. -rw-r-----. 1 root designate 70205 Sep 11 16:31 designate.conf -rw-r-----. 1 root designate 6060 Sep 11 16:31 policy.yaml -rw-r--r--. 1 root root 2125 Sep 11 16:44 pools.yaml drwxr-xr-x. 2 root root 60 Sep 11 17:41 private -rw-r-----. 1 root designate 949 Jul 8 2022 rootwrap.conf $ ls -al /etc/designate/private/ total 12 drwxr-xr-x. 2 root root 60 Sep 11 17:41 . drwxr-xr-x. 1 root root 80 Sep 11 17:41 .. -rw-r--r--. 1 root root 196 Sep 11 16:27 bind1.conf -rw-r--r--. 1 root root 196 Sep 11 16:27 bind2.conf -rw-r--r--. 1 root root 196 Sep 11 16:27 bind3.conf On the overcloud host: $ ls -al /var/lib/config-data/puppet-generated/designate/etc/designate/private/bind1.conf -rw-r--r--. 1 root root 196 Sep 11 16:27 /var/lib/config-data/puppet-generated/designate/etc/designate/private/bind1.conf
I've added you as reporter credit to the CVE page, if you'd prefer not to be credited or there's someone else who should be on it too, let me know and I modify it.
I have no problem with that.
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 8 Via RHSA-2024:2770 https://access.redhat.com/errata/RHSA-2024:2770
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2024:2736 https://access.redhat.com/errata/RHSA-2024:2736