[Bug 1382632] Re: Insecure key file permissions

Mathew Hodson mathew.hodson at gmail.com
Tue Jul 12 17:59:43 UTC 2016 

** No longer affects: horizon (Ubuntu)

** No longer affects: horizon (Ubuntu Vivid)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1382632

Title:
  Insecure key file permissions

Status in curtin:
  Fix Committed
Status in curtin package in Ubuntu:
  Fix Released
Status in curtin source package in Trusty:
  Fix Released
Status in curtin source package in Utopic:
  Fix Released
Status in curtin source package in Vivid:
  Fix Released

Bug description:
  === SRU Information ===
  [Impact]
  Systems installed using curtin inadvertantly have a default set of acl applied
  to the root directory.  Those default acl can wreak havoc with seemingly
  sane expectations of users or packages or administrators.

  For example, the problem that was noticed essentially boiled down to a
  program doing:
    ( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file )
  and then later that program checked permissions of the file
  and found:
    $ ls -l secret-file
    -rw-r--r-- 1 smoser smoser 0 Oct 27 12:00 secret-file
  instead of
    -rw------- 1 smoser smoser 0 Oct 27 12:00 secret-file
  And raised exception.

  This is not at all an unreasonable expectation.
  Essentially, this boils down to all packages not being ready to handle
  having filesystem ACL in place.  Additionally curtin did not intend on
  installing the target with default ACLs that was a unexpected behavior of
  tar (raised in bug 1386237)

  [Test Case]
   * Install system with MAAS and fast path installer (curtin).
   * mkdir /tmp/mydir
   * cd /tmp/mydir
   * ( umask 0066 ; rm -f secret-file; echo "passw0rd" > secret-file )
   * ls -l secret-file

  Expected output is that file has 600 permissions. Failure case, is
  644.

  [Regression Potential]
  Fairly small chance for regression as the tar files created for consumption
  are not created with acl information inside.  Generally ubuntu installations
  do not have default ACL in place on /, and thus the change creates less
  chance for unexpected behavior than is currently present.

  [Other Info]
  This bug is not actually present in the version of curtin in trusty.
  However, the fix for this issue is in the code added to fix bug 1313550.
  The bug is present in utopic's version of curtin.

  === End SRU Information ===

  openstack-dashboard 1:2014.2-0ubuntu1~cloud0 from
  http://ppa.launchpad.net/ubuntu-cloud-archive/juno-staging/ubuntu/

  Got this during installation with the charm:
  (...)
  2014-10-17 17:17:07 INFO install Setting up openstack-dashboard (1:2014.2-0ubuntu1~cloud0) ...
  2014-10-17 17:17:07 INFO install Collecting and compressing static assets...
  2014-10-17 17:17:07 INFO install Traceback (most recent call last):
  2014-10-17 17:17:07 INFO install   File "manage.py", line 25, in <module>
  2014-10-17 17:17:07 INFO install     execute_from_command_line(sys.argv)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 399, in execute_from_command_line
  2014-10-17 17:17:07 INFO install     utility.execute()
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 392, in execute
  2014-10-17 17:17:07 INFO install     self.fetch_command(subcommand).run_from_argv(self.argv)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 261, in fetch_command
  2014-10-17 17:17:07 INFO install     commands = get_commands()
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/core/management/__init__.py", line 107, in get_commands
  2014-10-17 17:17:07 INFO install     apps = settings.INSTALLED_APPS
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 54, in __getattr__
  2014-10-17 17:17:07 INFO install     self._setup(name)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 49, in _setup
  2014-10-17 17:17:07 INFO install     self._wrapped = Settings(settings_module)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/conf/__init__.py", line 128, in __init__
  2014-10-17 17:17:07 INFO install     mod = importlib.import_module(self.SETTINGS_MODULE)
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/django/utils/importlib.py", line 40, in import_module
  2014-10-17 17:17:07 INFO install     __import__(name)
  2014-10-17 17:17:07 INFO install   File "/usr/share/openstack-dashboard/openstack_dashboard/settings.py", line 316, in <module>
  2014-10-17 17:17:07 INFO install     from local.local_settings import *  # noqa
  2014-10-17 17:17:07 INFO install   File "/usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py", line 98, in <module>
  2014-10-17 17:17:07 INFO install     SECRET_KEY = secret_key.generate_or_read_from_file('/var/lib/openstack-dashboard/secret_key')
  2014-10-17 17:17:07 INFO install   File "/usr/lib/python2.7/dist-packages/horizon/utils/secret_key.py", line 61, in generate_or_read_from_file
  2014-10-17 17:17:07 INFO install     raise FilePermissionError("Insecure key file permissions!")
  2014-10-17 17:17:07 INFO install horizon.utils.secret_key.FilePermissionError: Insecure key file permissions!
  2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-dashboard (--configure):
  2014-10-17 17:17:07 INFO install  subprocess installed post-installation script returned error exit status 1
  2014-10-17 17:17:07 INFO install dpkg: dependency problems prevent configuration of openstack-dashboard-ubuntu-theme:
  2014-10-17 17:17:07 INFO install  openstack-dashboard-ubuntu-theme depends on openstack-dashboard (= 1:2014.2-0ubuntu1~cloud0); however:
  2014-10-17 17:17:07 INFO install   Package openstack-dashboard is not configured yet.
  2014-10-17 17:17:07 INFO install
  2014-10-17 17:17:07 INFO install dpkg: error processing package openstack-dashboard-ubuntu-theme (--configure):
  2014-10-17 17:17:07 INFO install  dependency problems - leaving unconfigured
  2014-10-17 17:17:07 INFO install No apport report written because the error message indicates its a followup error from a previous failure.
  2014-10-17 17:17:07 INFO install Errors were encountered while processing:
  2014-10-17 17:17:07 INFO install  openstack-dashboard
  2014-10-17 17:17:07 INFO install  openstack-dashboard-ubuntu-theme
  2014-10-17 17:17:08 INFO install E: Sub-process /usr/bin/dpkg returned an error code (1)

  Full logs attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/curtin/+bug/1382632/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list