[openstack-dev] [kolla] the user in container should NOT have write permission for configuration file
Christian Berendt
berendt at betacloud-solutions.de
Mon Sep 26 15:03:04 UTC 2016
> On 26 Sep 2016, at 16:43, Sam Yaple <samuel at yaple.net> wrote:
>
> So this actually makes it _less_ secure. The 0600 permissions were chosen for a reason. The nova.conf file has passwords to the DB and rabbitmq. If the configuration files are world readable then those passwords could leak to an unprivileged user on the host.
Confirmed. Please do not make configuration files world readable.
We use volumes for the configuration file directories. Why do we not simply use read only volumes? This way we do not have to touch the current implementation (files are owned by the service user with 0600 permissions) and can make the configuration files read only.
Christian.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160926/c151b7e1/attachment.pgp>
More information about the OpenStack-dev
mailing list