Open Stack

Wed Apr 12 10:42:37 UTC 2017

** Changed in: trove
   Importance: Undecided => Low

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1674954

Title:
  trove log-enable causes unnecessary file permission change

Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack DBaaS (Trove):
  New

Bug description:
  When log-enable called, Guestagent try to change log directory permission to readable.
  Unfortunately, it changes permission in recursively like below.

  This is security issue that allow any of OS users to read the database
  data files.

  I believe that we should fix this line.
  https://github.com/openstack/trove/blob/master/trove/guestagent/guest_log.py#L115

  [samitani at samitani-mi02-member-2 ~]$ sudo grep 'Running cmd' /var/log/trove/guestagent.log
  2017-03-22 19:21:47.070 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf /tmp/tmpoJ2r5O execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.078 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmpoJ2r5O execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.117 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/.+-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.136 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-001-cluster.cnf /tmp/tmp0AhUIT execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.142 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp0AhUIT execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.153 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.177 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.183 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.190 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.196 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.202 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.209 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.216 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-general.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.222 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.228 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/log/mysqld.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.235 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:21:47.241 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +664 /var/lib/mysql/data/pxc-slow_query.log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.743 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/lib/mysql/data execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.760 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/lib/mysql/data execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.769 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/log/trove execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.777 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +055 /var/log execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.846 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/50-system-([0-9]+)-disable_general_log\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.853 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf /tmp/tmpNUmZt6 execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.860 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmpNUmZt6 execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.883 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/.+-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.890 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-001-cluster.cnf /tmp/tmp7MujEH execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.897 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp7MujEH execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.905 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/50-system-([0-9]+)-enable_general_log\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.912 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/50-system-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.920 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /tmp/tmpTVRVmR /etc/my.cnf.d/50-system-002-enable_general_log.cnf execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.926 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chown -R mysql:mysql /etc/my.cnf.d/50-system-002-enable_general_log.cnf execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.932 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /etc/my.cnf.d/50-system-002-enable_general_log.cnf execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.939 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf /tmp/tmpCzeJfw execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.945 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmpCzeJfw execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.988 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): find /etc/my.cnf.d/ -noleaf -type f -regextype posix-extended -regex .*/.+-([0-9]+)-.+\.cnf$$ execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:08.995 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-001-cluster.cnf /tmp/tmp7O4zdM execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:09.002 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp7O4zdM execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:09.010 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): cp -f -R /etc/my.cnf.d/50-system-002-enable_general_log.cnf /tmp/tmp_Kw0Ju execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:09.016 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): chmod -R +444 /tmp/tmp_Kw0Ju execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326
  2017-03-22 19:22:47.599 24586 DEBUG oslo_concurrency.processutils [-] Running cmd (subprocess): /usr/bin/mysqladmin ping execute /opt/trove/lib/python2.7/site-packages/oslo_concurrency/processutils.py:326

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1674954/+subscriptions

Open Stack

[Openstack-security] [Bug 1674954] Re: trove log-enable causes unnecessary file permission change

OpenStack

Community

Documentation

Branding & Legal