[Bug 1859422] Re: security: default ownership and permissions

Corey Bryant 1859422 at bugs.launchpad.net
Tue Jun 2 18:50:46 UTC 2020 

autopkgtests are passing on the latest version uploaded to focal-
proposed, which serves as verification that this bug is fixed:
http://autopkgtest.ubuntu.com/packages/p/panko/focal/amd64

** Tags added: verification-done verification-done-focal

** Also affects: nova (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: swift (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: glance (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: keystone (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: cinder (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: heat (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: designate (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: neutron (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: openstack-trove (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: ironic (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: manila (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: python-glance-store (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: barbican (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: murano-agent (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: murano (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: sahara (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: aodh (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: ironic-inspector (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: zaqar (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: mistral (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: magnum (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: gnocchi (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: senlin (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: watcher (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: placement (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: octavia (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: zvmcloudconnector (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: masakari (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: masakari-monitors (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: placement (Ubuntu Focal)
       Status: New => Fix Committed

** No longer affects: aodh (Ubuntu Focal)

** No longer affects: barbican (Ubuntu Focal)

** No longer affects: cinder (Ubuntu Focal)

** No longer affects: glance (Ubuntu Focal)

** No longer affects: designate (Ubuntu Focal)

** No longer affects: gnocchi (Ubuntu Focal)

** No longer affects: heat (Ubuntu Focal)

** No longer affects: ironic (Ubuntu Focal)

** No longer affects: ironic-inspector (Ubuntu Focal)

** No longer affects: keystone (Ubuntu Focal)

** No longer affects: magnum (Ubuntu Focal)

** No longer affects: manila (Ubuntu Focal)

** No longer affects: masakari (Ubuntu Focal)

** No longer affects: masakari-monitors (Ubuntu Focal)

** No longer affects: mistral (Ubuntu Focal)

** No longer affects: murano-agent (Ubuntu Focal)

** No longer affects: murano (Ubuntu Focal)

** No longer affects: neutron (Ubuntu Focal)

** No longer affects: nova (Ubuntu Focal)

** No longer affects: octavia (Ubuntu Focal)

** No longer affects: openstack-trove (Ubuntu Focal)

** No longer affects: python-glance-store (Ubuntu Focal)

** No longer affects: senlin (Ubuntu Focal)

** No longer affects: swift (Ubuntu Focal)

** No longer affects: sahara (Ubuntu Focal)

** No longer affects: watcher (Ubuntu Focal)

** No longer affects: zaqar (Ubuntu Focal)

** No longer affects: zvmcloudconnector (Ubuntu Focal)

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ironic in Ubuntu.
https://bugs.launchpad.net/bugs/1859422

Title:
  security: default ownership and permissions

Status in aodh package in Ubuntu:
  Fix Released
Status in barbican package in Ubuntu:
  Fix Released
Status in cinder package in Ubuntu:
  Fix Released
Status in designate package in Ubuntu:
  Fix Released
Status in glance package in Ubuntu:
  Fix Released
Status in gnocchi package in Ubuntu:
  Fix Released
Status in heat package in Ubuntu:
  Fix Released
Status in ironic package in Ubuntu:
  Fix Released
Status in ironic-inspector package in Ubuntu:
  Fix Released
Status in keystone package in Ubuntu:
  Fix Released
Status in magnum package in Ubuntu:
  Fix Released
Status in manila package in Ubuntu:
  Fix Released
Status in masakari package in Ubuntu:
  Fix Released
Status in masakari-monitors package in Ubuntu:
  Fix Released
Status in mistral package in Ubuntu:
  Fix Released
Status in murano package in Ubuntu:
  Fix Released
Status in murano-agent package in Ubuntu:
  Fix Released
Status in neutron package in Ubuntu:
  Fix Released
Status in nova package in Ubuntu:
  Fix Released
Status in octavia package in Ubuntu:
  Fix Released
Status in openstack-trove package in Ubuntu:
  Fix Released
Status in placement package in Ubuntu:
  Fix Released
Status in python-glance-store package in Ubuntu:
  Fix Released
Status in sahara package in Ubuntu:
  Fix Released
Status in senlin package in Ubuntu:
  Triaged
Status in swift package in Ubuntu:
  Fix Released
Status in watcher package in Ubuntu:
  Fix Released
Status in zaqar package in Ubuntu:
  Fix Released
Status in zvmcloudconnector package in Ubuntu:
  Fix Released
Status in placement source package in Focal:
  Fix Committed

Bug description:
  [Impact]
  Package should security directories and files as below:

    chown <pkg>:adm /var/log/<pkg>
    chmod 0750 /var/log/<pkg>

    find /etc/<pkg> -exec chown root:<pkg> "{}" +
    find /etc/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

    # Optional rootwrap.d configuration files.
    find /etc/<pkg>/rootwrap.d -exec chown root:root "{}" +
    find /etc/<pkg>/rootwrap.d -type f -exec chmod 0644 "{}" + -o -type d -exec chmod 0755 "{}" +

    find /var/lib/<pkg> -exec chown <pkg>:<pkg> "{}" +
    find /var/lib/<pkg> -type f -exec chmod 0640 "{}" + -o -type d -exec chmod 0750 "{}" +

  For keystone, /etc/ files/directories should be owned by
  keystone:keystone: https://docs.openstack.org/security-
  guide/identity/checklist.html

  [Test Case]
  Regression testing via juju deployed openstack + tempest or autopkgtests for uncharmed projects.

  [Regression Potential]
  Low, the same pattern has been used across all affected openstack packages. The changes landed in focal-proposed packages earlier in the cycle for OpenStack and has received a lot of testing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/aodh/+bug/1859422/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list