[Bug 2060235] [NEW] keystone-common recursively changes permissions for $HOME
Dmitriy Rabotyagov
2060235 at bugs.launchpad.net
Thu Apr 4 20:29:34 UTC 2024
Public bug reported:
As part of postinst step in keystone-common package, following code
executes:
find /var/lib/keystone -type f -exec chmod 0640 "{}" + -o -type d -exec
chmod 0750 "{}" +
This eventually turns out in incorrect behavior once keystone user has
.ssh/ folder under it's home, since private keys would be chmod-ed to
0640 which would raise further authentication failure.
SSH could be used for keystone to distribute fernet keys in case of HA
deployment for keystone. It is quite common practice to achieve fernet
distribution through SSH.
So it would be pretty much appreciated if keystone-common would avoid
recursively changing permissions to /var/lib/keystone or at least avoid
doing so for .ssh folder there.
** Affects: cloud-archive
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/2060235
Title:
keystone-common recursively changes permissions for $HOME
Status in Ubuntu Cloud Archive:
New
Bug description:
As part of postinst step in keystone-common package, following code
executes:
find /var/lib/keystone -type f -exec chmod 0640 "{}" + -o -type d
-exec chmod 0750 "{}" +
This eventually turns out in incorrect behavior once keystone user has
.ssh/ folder under it's home, since private keys would be chmod-ed to
0640 which would raise further authentication failure.
SSH could be used for keystone to distribute fernet keys in case of HA
deployment for keystone. It is quite common practice to achieve fernet
distribution through SSH.
So it would be pretty much appreciated if keystone-common would avoid
recursively changing permissions to /var/lib/keystone or at least
avoid doing so for .ssh folder there.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/2060235/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list