[oslo][security] Are config files vetted for ownership/permissions?
fungi at yuggoth.org
Fri Oct 18 23:47:29 UTC 2019
On 2019-10-18 17:18:25 -0500 (-0500), Eric Fried wrote:
> When $service loads up a config file like /etc/nova/nova.conf via
> oslo.config, is there anything that makes sure the dir and/or file are
> owned by the process user/group and have appropriate permissions? E.g.
> to prevent $hacker from modifying/replacing config opts and making
> $service do horrible things to my system/cloud. (I'm less concerned with
> $hacker seeing passwords etc., though I expect we would be accounting
> for both or neither.)
As with most software, taking care of this is generally up to
whoever implements deployment and packaging solutions. Those are in
the best position to know what user and group IDs have been created
for this purpose, and to set permissions and ownership for them
accordingly. If you're asking whether any of our software implements
"this conffile's permissions are too loose!" warnings (like how
OpenSSH refuses to start if your private key is world-readable), I'm
not aware of any, no.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 963 bytes
Desc: not available
More information about the openstack-discuss