[Openstack-security] [Bug 1174608] Re: Insecure directory creation for signing
OpenStack Hudson
1174608 at bugs.launchpad.net
Wed May 8 19:35:59 UTC 2013
Reviewed: https://review.openstack.org/28568
Committed: http://github.com/openstack/nova/commit/58d6879b1caaa750c39c8e452a0634c24ffef2ce
Submitter: Jenkins
Branch: master
commit 58d6879b1caaa750c39c8e452a0634c24ffef2ce
Author: Russell Bryant <rbryant at redhat.com>
Date: Wed May 1 09:41:57 2013 -0400
Remove insecure default for signing_dir option.
The sample api-paste.ini file included an insecure value for the
signing_dir option for the keystone authtoken middleware. Comment out
the option so that we just rely on the default behavior by default.
Fix bug 1174608.
Change-Id: I6189788953d789c34456bbe150b8ed6ce6f68403
** Changed in: nova
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1174608
Title:
Insecure directory creation for signing
Status in OpenStack Identity (Keystone):
Invalid
Status in Keystone folsom series:
Fix Committed
Status in OpenStack Compute (Nova):
Fix Committed
Status in OpenStack Compute (nova) folsom series:
In Progress
Status in OpenStack Compute (nova) grizzly series:
In Progress
Status in Python client library for Keystone:
Fix Committed
Bug description:
Originally found by Grant Murphy (gmurphy at redhat.com):
The signing directory is used to store the signing certificates
and the default location for this directory is:
signing_dir = /tmp/keystone-signing-nova
In the file:
keystone/middleware/auth_token.py
During the initialization of the AuthMiddleware the following
operations are made for the signing directory:
IF the directory exists but cannot be written to a configuration error is raised.
ELSE IF the directory doesn't exist, create it.
NEXT chmod permisions(stat.S_IRWXU) to the signing_directory
AFAICT The signing certificates used in validation will only be
fetched from the keystone if the cms_verify action raises an exception
because the certificate file is missing from the signing directory.
This means that if an attacker populated the /tmp/keystone-signing-nova
with the appropriate files for signautre verification they could potentially
issue forged tokens which would be validated by the middleware. As:
- The directory location deterministic. (default for glance, nova)
- *If the directory already exists it is reused*
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1174608/+subscriptions
More information about the Openstack-security
mailing list