[Bug 1755027] Please test proposed package

Corey Bryant corey.bryant at canonical.com
Fri Mar 16 13:31:24 UTC 2018 

Hello James, or anyone else affected,

Accepted horizon into mitaka-proposed. The package will build now and be
available in the Ubuntu Cloud Archive in a few hours, and then in the
-proposed repository.

Please help us by testing this new package. To enable the -proposed
repository:

  sudo add-apt-repository cloud-archive:mitaka-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, and change the tag
from verification-mitaka-needed to verification-mitaka-done. If it does
not fix the bug for you, please add a comment stating that, and change
the tag to verification-mitaka-failed. In either case, details of your
testing will help us make a better decision.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in
advance!

** Changed in: cloud-archive/mitaka
       Status: Triaged => Fix Committed

** Tags added: verification-mitaka-needed

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1755027

Title:
  [SRU] local_settings.py is world readable and contains passwords

Status in OpenStack openstack-dashboard charm:
  Fix Released
Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive kilo series:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Fix Committed
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in designate-dashboard package in Ubuntu:
  Invalid
Status in horizon package in Ubuntu:
  Invalid
Status in murano-dashboard package in Ubuntu:
  Invalid
Status in neutron-lbaas-dashboard package in Ubuntu:
  Invalid
Status in sahara-dashboard package in Ubuntu:
  Invalid
Status in trove-dashboard package in Ubuntu:
  Invalid
Status in horizon source package in Trusty:
  Fix Committed
Status in horizon source package in Xenial:
  Fix Committed
Status in murano-dashboard source package in Xenial:
  Fix Committed
Status in sahara-dashboard source package in Xenial:
  Fix Committed
Status in trove-dashboard source package in Xenial:
  Fix Committed
Status in designate-dashboard source package in Artful:
  Fix Committed
Status in murano-dashboard source package in Artful:
  Fix Committed
Status in sahara-dashboard source package in Artful:
  Fix Committed
Status in trove-dashboard source package in Artful:
  Fix Committed

Bug description:
  [Impact]

  nobody at juju-a45617-0-lxd-4:/$ grep PASSWORD /etc/openstack-dashboard/local_settings.py
          'PASSWORD': 'yNXwml0TXuWjcW19jDzE49IiohSIMY',
  #EMAIL_HOST_PASSWORD = 'top-secret!'
  #OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
  OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True
  #ENFORCE_PASSWORD_CHECK = False
  nobody at juju-a45617-0-lxd-4:/$

  Needless to say, I should not be able to see passwords as 'nobody'.

  This is on a customer site, but I've reproduced at least the world
  readableness with a fresh deploy of cs:openstack-dashboard locally.

  This release sports mostly bug-fixes and we would like to make sure all of our
  supported customers have access to these improvements.
  The update contains the following package updates:

     * <TODO: Create list with package names and versions>

  [Test Case]
  apt install openstack-dashboard
  sudo ls -al /etc/openstack-dashboard/

  permissions should be:
  -rw-r----- 1 root horizon 30995 Mar 13 14:12 local_settings.py

  sudo ls -al /var/lib/openstack-dashboard/ # should be recursively
  owned by horizon:horizon before and after installing any dashboard
  plugins

  [Regression Potential]
  Very minimal regression potential. The fix is already in artful/pike and bionic/queens.

  [Discussion]
  The following comment is copied from comment #30 below but important to call out for SRU review:

  coreycb: I've uploaded designate-dashboard, murano-dashboard, trove-
  dashboard, and sahara-dashboard to the Artful Unapproved queue where
  they are awaiting review by the SRU team. Note that these changes are
  only updating these dashboard to use the proper user:group when
  performing chown on /var/lib/openstack-dashboard. This may look
  tengential when just looking at the Artful packages but it aligns with
  the changes being made for the Ocata cloud-archive (and already made
  in Bionic) that run openstack-dashboard under horizon:horizon instead
  of under www-data:www-data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1755027/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list