[Bug 1755027] Re: [SRU] local_settings.py is world readable and contains passwords

Launchpad Bug Tracker 1755027 at bugs.launchpad.net
Thu Mar 22 09:33:05 UTC 2018 

This bug was fixed in the package horizon - 2:9.1.2-0ubuntu5

---------------
horizon (2:9.1.2-0ubuntu5) xenial; urgency=medium

  [ Seyeong Kim ]
  * Hide unused consistency groups tab (LP: #1582725)
    - d/p/hide-unused-consistency-groups.patch: Pick some policies from
      upstream commit 388708b251b0487bb22fb3ebb8fcb36ee4ffdc4f to hide
      unused consistency groups tab.

  [ Corey Bryant ]
  * d/openstack-dashboard.postinst: Ensure permissions are not
    world-readable for /etc/openstack-dashboard/local_settings.py
    (LP: #1755027).

  [ Shane Peters ]
  * d/p/let-nova-to-pick-availability-zone.patch:
    In the Angular Launch Instance, if there is more than one
    availability zone default to the option for the Nova scheduler to pick.
    This is regression from the legacy Launch Instance feature (LP: #1613900).

 -- Corey Bryant <corey.bryant at canonical.com>  Thu, 15 Mar 2018 13:57:14
-0400

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1755027

Title:
  [SRU] local_settings.py is world readable and contains passwords

Status in OpenStack openstack-dashboard charm:
  Fix Released
Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive kilo series:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Fix Released
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in Ubuntu Cloud Archive pike series:
  Fix Released
Status in designate-dashboard package in Ubuntu:
  Invalid
Status in horizon package in Ubuntu:
  Invalid
Status in murano-dashboard package in Ubuntu:
  Invalid
Status in neutron-lbaas-dashboard package in Ubuntu:
  Invalid
Status in sahara-dashboard package in Ubuntu:
  Invalid
Status in trove-dashboard package in Ubuntu:
  Invalid
Status in horizon source package in Trusty:
  Fix Committed
Status in horizon source package in Xenial:
  Fix Released
Status in murano-dashboard source package in Xenial:
  Fix Released
Status in sahara-dashboard source package in Xenial:
  Fix Released
Status in trove-dashboard source package in Xenial:
  Fix Released
Status in designate-dashboard source package in Artful:
  Fix Released
Status in murano-dashboard source package in Artful:
  Fix Released
Status in sahara-dashboard source package in Artful:
  Fix Released
Status in trove-dashboard source package in Artful:
  Fix Released

Bug description:
  [Impact]

  nobody at juju-a45617-0-lxd-4:/$ grep PASSWORD /etc/openstack-dashboard/local_settings.py
          'PASSWORD': 'yNXwml0TXuWjcW19jDzE49IiohSIMY',
  #EMAIL_HOST_PASSWORD = 'top-secret!'
  #OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
  OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True
  #ENFORCE_PASSWORD_CHECK = False
  nobody at juju-a45617-0-lxd-4:/$

  Needless to say, I should not be able to see passwords as 'nobody'.

  This is on a customer site, but I've reproduced at least the world
  readableness with a fresh deploy of cs:openstack-dashboard locally.

  This release sports mostly bug-fixes and we would like to make sure all of our
  supported customers have access to these improvements.
  The update contains the following package updates:

     * <TODO: Create list with package names and versions>

  [Test Case]
  apt install openstack-dashboard
  sudo ls -al /etc/openstack-dashboard/

  permissions should be:
  -rw-r----- 1 root horizon 30995 Mar 13 14:12 local_settings.py

  sudo ls -al /var/lib/openstack-dashboard/ # should be recursively
  owned by horizon:horizon before and after installing any dashboard
  plugins

  [Regression Potential]
  Very minimal regression potential. The fix is already in artful/pike and bionic/queens.

  [Discussion]
  The following comment is copied from comment #30 below but important to call out for SRU review:

  coreycb: I've uploaded designate-dashboard, murano-dashboard, trove-
  dashboard, and sahara-dashboard to the Artful Unapproved queue where
  they are awaiting review by the SRU team. Note that these changes are
  only updating these dashboard to use the proper user:group when
  performing chown on /var/lib/openstack-dashboard. This may look
  tengential when just looking at the Artful packages but it aligns with
  the changes being made for the Ocata cloud-archive (and already made
  in Bionic) that run openstack-dashboard under horizon:horizon instead
  of under www-data:www-data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1755027/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list