[oslo][security] Are config files vetted for ownership/permissions?

Jeremy Stanley fungi at yuggoth.org
Fri Oct 18 23:47:29 UTC 2019

On 2019-10-18 17:18:25 -0500 (-0500), Eric Fried wrote:
> When $service loads up a config file like /etc/nova/nova.conf via
> oslo.config, is there anything that makes sure the dir and/or file are
> owned by the process user/group and have appropriate permissions? E.g.
> to prevent $hacker from modifying/replacing config opts and making
> $service do horrible things to my system/cloud. (I'm less concerned with
> $hacker seeing passwords etc., though I expect we would be accounting
> for both or neither.)

As with most software, taking care of this is generally up to
whoever implements deployment and packaging solutions. Those are in
the best position to know what user and group IDs have been created
for this purpose, and to set permissions and ownership for them
accordingly. If you're asking whether any of our software implements
"this conffile's permissions are too loose!" warnings (like how
OpenSSH refuses to start if your private key is world-readable), I'm
not aware of any, no.
Jeremy Stanley
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: not available
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20191018/b0996dbe/attachment.sig>

More information about the openstack-discuss mailing list