[Openstack-security] [Bug 1556231] Re: Rootwrap configuration has incorrect ownership
Kevin Carter
kevin.carter at rackspace.com
Fri Mar 11 18:40:48 UTC 2016
Mitigation while waiting on patches to land:
Mitigation for Nova:
ansible nova_all -m shell -a 'chown root:root /etc/nova/rootwrap.conf'
ansible nova_all -m shell -a 'chown -R root:root /etc/nova/rootwrap.d'
Mitigation for Neutron:
ansible nova_all -m shell -a 'chown root:root /etc/neutron/rootwrap.conf'
ansible nova_all -m shell -a 'chown root:root /etc/neutron/rootwrap.d'
Mitigation for Cinder:
ansible nova_all -m shell -a 'chown root:root /etc/cinder/rootwrap.conf'
ansible nova_all -m shell -a 'chown root:root /etc/cinder/rootwrap.d'
Mitigation for Ceilometer:
ansible nova_all -m shell -a 'chown root:root /etc/ceilometer/rootwrap.conf'
ansible nova_all -m shell -a 'chown root:root /etc/ceilometer/rootwrap.d'
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1556231
Title:
Rootwrap configuration has incorrect ownership
Status in openstack-ansible:
Fix Committed
Status in openstack-ansible kilo series:
Confirmed
Status in openstack-ansible liberty series:
In Progress
Status in openstack-ansible trunk series:
Fix Committed
Bug description:
The /etc/<openstack_service>/rootwrap.conf file and
/etc/<openstack_service>/rootwrap.d directory and its contents created
by the Nova, Neutron, Cinder and Ceilomer playbooks/roles are
incorrectly owned by a user other than root.
This is a security vulnerability inasmuch as it may allow users with
lower privileges to modify the rootwrap configuration and escalate
privileges.
To manage notifications about this bug go to:
https://bugs.launchpad.net/openstack-ansible/+bug/1556231/+subscriptions
More information about the Openstack-security
mailing list