[Openstack-security] [Bug 1427228] Fix merged to neutron (master)

OpenStack Infra 1427228 at bugs.launchpad.net
Thu Apr 2 11:39:31 UTC 2015 

Reviewed:  https://review.openstack.org/161494
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fbc22784149cd6b3ca6d8161e360d3d7c10d94ac
Submitter: Jenkins
Branch:    master

commit fbc22784149cd6b3ca6d8161e360d3d7c10d94ac
Author: Cedric Brandily <zzelle at gmail.com>
Date:   Tue Mar 3 22:26:52 2015 +0000

    Allow metadata proxy to log with nobody user/group
    
    Currently metadata proxy cannot run with nobody user/group as
    metadata proxy (as other services) uses WatchedFileHandler handler to
    log to file which does not support permissions drop (the process must
    be able to r/w after permissions drop to "watch" the file).
    
    This change allows to enable/disable log watch in metadata proxies with
    the new option metadata_proxy_log_watch. It should be disabled when
    metadata_proxy_user/group is not allowed to read/write metadata proxy
    log files. Option default value is deduced from metadata_proxy_user:
    
    * True if metadata_proxy_user is agent effective user id/name,
    * False otherwise.
    
    When log watch is disabled and logrotate is enabled on metadata proxy
    logging files, 'copytruncate' logrotate option must be used otherwise
    metadata proxy logs will be lost after the first log rotation.
    
    DocImpact
    Change-Id: I40a7bd82a2c60d9198312fdb52e3010c60db3511
    Partial-Bug: #1427228

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1427228

Title:
  Allow to run neutron-ns-metadata-proxy as nobody

Status in OpenStack Neutron (virtual network service):
  In Progress

Bug description:
  Currently neutron-ns-metadata-proxy runs with neutron user/group
  permissions on l3-agent but we should allow to run it with less
  permissions as neutron user is allowed to run neutron-rootwrap. We
  should restrict as much as possible neutron-ns-metadata-proxy
  permissions as it's reachable from VMs.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1427228/+subscriptions

More information about the Openstack-security mailing list