group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1755027] Re: [SRU] local_settings.py is world readable and contains passwords

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Corey Bryant <corey.bryant@xxxxxxxxxxxxx>
Date: Fri, 16 Mar 2018 15:13:53 -0000
Reply-to: Bug 1755027 <1755027@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package horizon - 2:9.1.2-0ubuntu5~cloud0
---------------

 horizon (2:9.1.2-0ubuntu5~cloud0) trusty-mitaka; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 horizon (2:9.1.2-0ubuntu5) xenial; urgency=medium
 .
   [ Seyeong Kim ]
   * Hide unused consistency groups tab (LP: #1582725)
     - d/p/hide-unused-consistency-groups.patch: Pick some policies from
       upstream commit 388708b251b0487bb22fb3ebb8fcb36ee4ffdc4f to hide
       unused consistency groups tab.
 .
   [ Corey Bryant ]
   * d/openstack-dashboard.postinst: Ensure permissions are not
     world-readable for /etc/openstack-dashboard/local_settings.py
     (LP: #1755027).
 .
   [ Shane Peters ]
   * d/p/let-nova-to-pick-availability-zone.patch:
     In the Angular Launch Instance, if there is more than one
     availability zone default to the option for the Nova scheduler to pick.
     This is regression from the legacy Launch Instance feature (LP: #1613900).


** Changed in: cloud-archive/mitaka
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1755027

Title:
  [SRU] local_settings.py is world readable and contains passwords

Status in OpenStack openstack-dashboard charm:
  Fix Released
Status in Ubuntu Cloud Archive:
  Invalid
Status in Ubuntu Cloud Archive kilo series:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Fix Released
Status in Ubuntu Cloud Archive newton series:
  Fix Released
Status in Ubuntu Cloud Archive ocata series:
  Fix Released
Status in Ubuntu Cloud Archive pike series:
  Fix Released
Status in designate-dashboard package in Ubuntu:
  Invalid
Status in horizon package in Ubuntu:
  Invalid
Status in murano-dashboard package in Ubuntu:
  Invalid
Status in neutron-lbaas-dashboard package in Ubuntu:
  Invalid
Status in sahara-dashboard package in Ubuntu:
  Invalid
Status in trove-dashboard package in Ubuntu:
  Invalid
Status in horizon source package in Trusty:
  Fix Committed
Status in horizon source package in Xenial:
  Fix Committed
Status in murano-dashboard source package in Xenial:
  Fix Committed
Status in sahara-dashboard source package in Xenial:
  Fix Committed
Status in trove-dashboard source package in Xenial:
  Fix Committed
Status in designate-dashboard source package in Artful:
  Fix Committed
Status in murano-dashboard source package in Artful:
  Fix Committed
Status in sahara-dashboard source package in Artful:
  Fix Committed
Status in trove-dashboard source package in Artful:
  Fix Committed

Bug description:
  [Impact]

  nobody@juju-a45617-0-lxd-4:/$ grep PASSWORD /etc/openstack-dashboard/local_settings.py
          'PASSWORD': 'yNXwml0TXuWjcW19jDzE49IiohSIMY',
  #EMAIL_HOST_PASSWORD = 'top-secret!'
  #OPENSTACK_ENABLE_PASSWORD_RETRIEVE = False
  OPENSTACK_ENABLE_PASSWORD_RETRIEVE = True
  #ENFORCE_PASSWORD_CHECK = False
  nobody@juju-a45617-0-lxd-4:/$

  Needless to say, I should not be able to see passwords as 'nobody'.

  This is on a customer site, but I've reproduced at least the world
  readableness with a fresh deploy of cs:openstack-dashboard locally.

  This release sports mostly bug-fixes and we would like to make sure all of our
  supported customers have access to these improvements.
  The update contains the following package updates:

     * <TODO: Create list with package names and versions>

  [Test Case]
  apt install openstack-dashboard
  sudo ls -al /etc/openstack-dashboard/

  permissions should be:
  -rw-r----- 1 root horizon 30995 Mar 13 14:12 local_settings.py

  sudo ls -al /var/lib/openstack-dashboard/ # should be recursively
  owned by horizon:horizon before and after installing any dashboard
  plugins

  [Regression Potential]
  Very minimal regression potential. The fix is already in artful/pike and bionic/queens.

  [Discussion]
  The following comment is copied from comment #30 below but important to call out for SRU review:

  coreycb: I've uploaded designate-dashboard, murano-dashboard, trove-
  dashboard, and sahara-dashboard to the Artful Unapproved queue where
  they are awaiting review by the SRU team. Note that these changes are
  only updating these dashboard to use the proper user:group when
  performing chown on /var/lib/openstack-dashboard. This may look
  tengential when just looking at the Artful packages but it aligns with
  the changes being made for the Ocata cloud-archive (and already made
  in Bionic) that run openstack-dashboard under horizon:horizon instead
  of under www-data:www-data.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-openstack-dashboard/+bug/1755027/+subscriptions