[Bug 1859422] [NEW] security: default ownership and permissions

[James Page]

Public bug reported:

Package should security directories and files as below:

  chown <pkg>:adm /var/log/<pkg>
  chmod 0750 /var/log/<pkg>

  find /etc/<pkg> -exec chown root:<pkg> "{}" +
  find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

  # Optional rootwrap.d configuration files.
  find /etc/<pkg>/rootwrap.d -exec chmod root:root "{}" +
  find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +

  chown <pkg>:<pkg> /var/lib/<pkg>
  chown 0750 /var/lib/<pkg>

** Affects: aodh (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: barbican (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: cinder (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: designate (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: glance (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: gnocchi (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: heat (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: ironic (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: keystone (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: manila (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: masakari (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: mistral (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: neutron (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: nova (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: octavia (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: openstack-trove (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: placement (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: sahara (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: senlin (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: swift (Ubuntu)
     Importance: Medium
         Status: Triaged

** Affects: watcher (Ubuntu)
     Importance: Medium
         Status: Triaged

** Also affects: barbican (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: aodh (Ubuntu)
       Status: New => Triaged

** Changed in: aodh (Ubuntu)
   Importance: Undecided => Medium

** Changed in: barbican (Ubuntu)
       Status: New => Confirmed

** Changed in: barbican (Ubuntu)
       Status: Confirmed => Triaged

** Changed in: barbican (Ubuntu)
   Importance: Undecided => Medium

** Description changed:

  Package should security directories and files as below:
  
-   chown <pkg>:adm /var/log/<pkg>
-   chmod 0750 /var/log/<pkg>
+   chown <pkg>:adm /var/log/<pkg>
+   chmod 0750 /var/log/<pkg>
  
-   find /etc/<pkg> -exec echo chown root:<pkg> "{}" +
-   find /etc/<pkg> -type f -exec echo chmod 0640 "{}" + -o -type d -exec echo chmod 0750 "{}" +
+   find /etc/<pkg> -exec chown root:<pkg> "{}" +
+   find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
  
-   chown <pkg>:<pkg> /var/lib/<pkg>
-   chown 0750 /var/lib/<pkg>
+   chown <pkg>:<pkg> /var/lib/<pkg>
+   chown 0750 /var/lib/<pkg>
  
  Users should be created with "--shell /usr/sbin/nologin" rather than
  /bin/false

** Description changed:

  Package should security directories and files as below:
  
    chown <pkg>:adm /var/log/<pkg>
    chmod 0750 /var/log/<pkg>
  
    find /etc/<pkg> -exec chown root:<pkg> "{}" +
    find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
  
+   # Optional rootwrap.d configuration files.
+   find /etc/<pkg>/rootwrap.d -exec chmod root:root "{}" +
+   find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +
+ 
    chown <pkg>:<pkg> /var/lib/<pkg>
    chown 0750 /var/lib/<pkg>
  
  Users should be created with "--shell /usr/sbin/nologin" rather than
  /bin/false

** Also affects: cinder (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: cinder (Ubuntu)
       Status: New => Triaged

** Changed in: cinder (Ubuntu)
   Importance: Undecided => Medium

** Also affects: designate (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: designate (Ubuntu)
       Status: New => Triaged

** Changed in: designate (Ubuntu)
   Importance: Undecided => Medium

** Also affects: glance (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: glance (Ubuntu)
       Status: New => Triaged

** Changed in: glance (Ubuntu)
   Importance: Undecided => Medium

** Also affects: gnocchi (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: gnocchi (Ubuntu)
       Status: New => Triaged

** Changed in: gnocchi (Ubuntu)
   Importance: Undecided => Medium

** Also affects: heat (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: ironic (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: keystone (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: manila (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: masakari (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: mistral (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: nova (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: octavia (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: openstack-trove (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: placement (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: sahara (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: swift (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: senlin (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: watcher (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu)
   Importance: Undecided
       Status: New

** Changed in: heat (Ubuntu)
       Status: New => Triaged

** Changed in: ironic (Ubuntu)
       Status: New => Triaged

** Changed in: keystone (Ubuntu)
       Status: New => Triaged

** Changed in: manila (Ubuntu)
       Status: New => Triaged

** Changed in: masakari (Ubuntu)
       Status: New => Triaged

** Changed in: mistral (Ubuntu)
       Status: New => Triaged

** Changed in: neutron (Ubuntu)
       Status: New => Triaged

** Changed in: nova (Ubuntu)
       Status: New => Triaged

** Changed in: octavia (Ubuntu)
       Status: New => Triaged

** Changed in: openstack-trove (Ubuntu)
       Status: New => Triaged

** Changed in: placement (Ubuntu)
       Status: New => Triaged

** Changed in: sahara (Ubuntu)
       Status: New => Triaged

** Changed in: senlin (Ubuntu)
       Status: New => Triaged

** Changed in: swift (Ubuntu)
       Status: New => Triaged

** Changed in: watcher (Ubuntu)
       Status: New => Triaged

** Changed in: heat (Ubuntu)
   Importance: Undecided => Medium

** Changed in: ironic (Ubuntu)
   Importance: Undecided => Medium

** Changed in: keystone (Ubuntu)
   Importance: Undecided => Medium

** Changed in: manila (Ubuntu)
   Importance: Undecided => Medium

** Changed in: masakari (Ubuntu)
   Importance: Undecided => Medium

** Changed in: mistral (Ubuntu)
   Importance: Undecided => Medium

** Changed in: neutron (Ubuntu)
   Importance: Undecided => Medium

** Changed in: nova (Ubuntu)
   Importance: Undecided => Medium

** Changed in: octavia (Ubuntu)
   Importance: Undecided => Medium

** Changed in: openstack-trove (Ubuntu)
   Importance: Undecided => Medium

** Changed in: placement (Ubuntu)
   Importance: Undecided => Medium

** Changed in: sahara (Ubuntu)
   Importance: Undecided => Medium

** Changed in: senlin (Ubuntu)
   Importance: Undecided => Medium

** Changed in: swift (Ubuntu)
   Importance: Undecided => Medium

** Changed in: watcher (Ubuntu)
   Importance: Undecided => Medium

** Description changed:

  Package should security directories and files as below:
  
    chown <pkg>:adm /var/log/<pkg>
    chmod 0750 /var/log/<pkg>
  
    find /etc/<pkg> -exec chown root:<pkg> "{}" +
    find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
  
-   # Optional rootwrap.d configuration files.
-   find /etc/<pkg>/rootwrap.d -exec chmod root:root "{}" +
-   find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +
+   # Optional rootwrap.d configuration files.
+   find /etc/<pkg>/rootwrap.d -exec chmod root:root "{}" +
+   find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +
  
    chown <pkg>:<pkg> /var/lib/<pkg>
    chown 0750 /var/lib/<pkg>
  
  Users should be created with "--shell /usr/sbin/nologin" rather than
- /bin/false
+ /bin/false and updated if already created:
+ 
+   usermod -s /usr/sbin/nologin <pkg>

** Description changed:

  Package should security directories and files as below:
  
    chown <pkg>:adm /var/log/<pkg>
    chmod 0750 /var/log/<pkg>
  
    find /etc/<pkg> -exec chown root:<pkg> "{}" +
    find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +
  
    # Optional rootwrap.d configuration files.
    find /etc/<pkg>/rootwrap.d -exec chmod root:root "{}" +
    find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +
  
    chown <pkg>:<pkg> /var/lib/<pkg>
    chown 0750 /var/lib/<pkg>
- 
- Users should be created with "--shell /usr/sbin/nologin" rather than
- /bin/false and updated if already created:
- 
-   usermod -s /usr/sbin/nologin <pkg>

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to aodh in Ubuntu.
https://bugs.launchpad.net/bugs/1859422

Title:
  security: default ownership and permissions

Status in aodh package in Ubuntu:
  Triaged
Status in barbican package in Ubuntu:
  Triaged
Status in cinder package in Ubuntu:
  Triaged
Status in designate package in Ubuntu:
  Triaged
Status in glance package in Ubuntu:
  Triaged
Status in gnocchi package in Ubuntu:
  Triaged
Status in heat package in Ubuntu:
  Triaged
Status in ironic package in Ubuntu:
  Triaged
Status in keystone package in Ubuntu:
  Triaged
Status in manila package in Ubuntu:
  Triaged
Status in masakari package in Ubuntu:
  Triaged
Status in mistral package in Ubuntu:
  Triaged
Status in neutron package in Ubuntu:
  Triaged
Status in nova package in Ubuntu:
  Triaged
Status in octavia package in Ubuntu:
  Triaged
Status in openstack-trove package in Ubuntu:
  Triaged
Status in placement package in Ubuntu:
  Triaged
Status in sahara package in Ubuntu:
  Triaged
Status in senlin package in Ubuntu:
  Triaged
Status in swift package in Ubuntu:
  Triaged
Status in watcher package in Ubuntu:
  Triaged

Bug description:
  Package should security directories and files as below:

    chown <pkg>:adm /var/log/<pkg>
    chmod 0750 /var/log/<pkg>

    find /etc/<pkg> -exec chown root:<pkg> "{}" +
    find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

    # Optional rootwrap.d configuration files.
    find /etc/<pkg>/rootwrap.d -exec chmod root:root "{}" +
    find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +

    chown <pkg>:<pkg> /var/lib/<pkg>
    chown 0750 /var/lib/<pkg>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aodh/+bug/1859422/+subscriptions