[openstack-dev] Service password storage

Jeremy Stanley fungi at yuggoth.org
Mon Jan 11 17:38:30 UTC 2016

On 2016-01-11 11:37:09 +0100 (+0100), Levin wrote:
> I installed openstack via devstack recently, and I found out that the
> admin passwords for services like cinder and nova are stored in plain
> text in their /etc/*/*.conf files. These files are rw--r--r-- by
> default, which I believe to be a pretty serious security risk. Is this
> intended, and/or configurable pre-install?

While I don't have a real answer (I'll leave that to the DevStack
maintainers and QA team), please be aware that DevStack is a
development/testing tool which should not be used in production and
should not be trusted to host any security-sensitive systems or
data. The OpenStack Vulnerability Management Team expressly do not
accept vulnerability reports about DevStack nor do they issue
security advisories about it. You should operate it with
expectations that it's insecure, and that it will also probably
destroy any system on which it runs.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 949 bytes
Desc: Digital signature
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160111/7bf39eb3/attachment.pgp>

More information about the OpenStack-dev mailing list