[Bug 1675088] Re: Restrict permissions on Openstack installation
** Also affects: aodh (Ubuntu) Importance: Undecided Status: New ** No longer affects: aodh (Ubuntu) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
Missed: chmod 0750 /var/lib/aodh in #24 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
Scoping any further remediation work for 20.04 cycle. Permissions snippet from postinst should look something like: chown -R aodh:adm /var/log/aodh chmod 0750 /var/log/aodh chown -R root:aodh /etc/aodh chmod 0750 /etc/aodh chown -R aodh:aodh /var/lib/aodh -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
This bug was fixed in the package glance - 2:14.0.1-0ubuntu1~cloud0 --- glance (2:14.0.1-0ubuntu1~cloud0) xenial-ocata; urgency=medium . [ Chuck Short ] * d/glance-common.postinst: Make sure the permissions on /etc/glance is set to 0700. (LP: #1675088) . [ Corey Bryant ] * New stable point release for OpenStack Ocata (LP: #1759855). * d/glance-common.postinst: Fix permissions on /etc/glance so that the glance user can actually access the directory (LP: #1675088). ** Changed in: cloud-archive/ocata Status: Fix Committed => Fix Released ** Changed in: cloud-archive Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
Testing has completed successfully for glance in ocata-proposed: root@x1:~# ls -al /etc/glance/ total 28 drwxr-x--- 3 root glance 4096 May 11 17:49 . And ocata-proposed regression tests passed: == Totals == Ran: 102 tests in 1806.1829 sec. - Passed: 94 - Skipped: 8 - Expected Fail: 0 - Unexpected Success: 0 - Failed: 0 Sum of execute time for each test: 1104.3589 sec. ** Tags removed: verification-ocata-needed ** Tags added: verification-ocata-done -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
Marking Zesty as Won't Fix since it is no longer supported. ** Changed in: horizon (Ubuntu Zesty) Status: Triaged => Won't Fix ** Changed in: horizon (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
This was fixed since Ocata rather than Zesty/Ocata for horizon. Nonetheless it's fixed in all new horizon releases since Ocata. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
Marking horizon (Ubuntu) as Fix Released as this is fixed since Zesty/Ocata. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
horizon was fix-released in 3:12.0.0~b1-0ubuntu1 for artful/pike. ** Changed in: horizon (Ubuntu Artful) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
heat is fix-released for pike cloud-archive ** Also affects: cloud-archive/ocata Importance: Undecided Status: New ** Also affects: cloud-archive/pike Importance: Undecided Status: New ** Changed in: cloud-archive/pike Status: New => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
This bug was fixed in the package heat - 1:8.0.1-0ubuntu1 --- heat (1:8.0.1-0ubuntu1) zesty; urgency=medium [ Chuck Short ] * d/heat-common.postinst: Make sure that /etc/heat has the appropriate permissions (LP: #1675088). [ James Page ] * New upstream stable release for OpenStack Ocata (LP: #1696139). -- James PageWed, 07 Jun 2017 16:02:28 +0100 ** Changed in: heat (Ubuntu Zesty) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
(NOTE that heat also forms part of the functional testing done for the 8.0.1 point release that this fix was included with). -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
# ls -l /etc | grep heat drwx-- 3 heat heat 6 Jul 4 15:46 heat # apt-cache policy heat-common heat-common: Installed: 1:8.0.1-0ubuntu1 Candidate: 1:8.0.1-0ubuntu1 Version table: *** 1:8.0.1-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages 100 /var/lib/dpkg/status 1:8.0.0-0ubuntu1 500 500 http://archive.ubuntu.com/ubuntu zesty/main amd64 Packages ** Tags removed: verification-needed ** Tags added: verification-done-zesty -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
Hello Joseph, or anyone else affected, Accepted heat into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/heat/1:8.0.1-0ubuntu1 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance! ** Changed in: heat (Ubuntu Zesty) Status: In Progress => Fix Committed ** Tags added: verification-needed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
This bug was fixed in the package heat - 1:9.0.0~b1-0ubuntu2 --- heat (1:9.0.0~b1-0ubuntu2) artful; urgency=medium * No-change rebuild for sqlalchemy 1.1.x. -- James PageFri, 28 Apr 2017 10:04:45 +0100 ** Changed in: heat (Ubuntu Artful) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
** Description changed: + [Impact] + Default configuration file permissions may allow read by unprivileged users other than the package system account. + + [Test Case] + + + [Regression Potential] + + [Original Bug Report] Example given by CPE: Permssions for /etc/openstack-dashboard/ are too loose (755). Should be 700, horizon:horizon Permssions for /etc/cinder/ are too loose (750). Should be 700, cinder:cinder Permssions for /etc/glance/ are too loose (755). Should be 700, glance:glance Permssions for /etc/heat/ are too loose (750). Should be 700, heat:heat Permssions for /etc/ceilometer/ are too loose (755). Should be 700, ceilometer:ceilometer - Will leave for you to evaluate best permissions. ** Description changed: [Impact] Default configuration file permissions may allow read by unprivileged users other than the package system account. [Test Case] + sudo apt install -common + ls -l /etc/ + a) folder will be readable b) files may be readable [Regression Potential] [Original Bug Report] Example given by CPE: Permssions for /etc/openstack-dashboard/ are too loose (755). Should be 700, horizon:horizon Permssions for /etc/cinder/ are too loose (750). Should be 700, cinder:cinder Permssions for /etc/glance/ are too loose (755). Should be 700, glance:glance Permssions for /etc/heat/ are too loose (750). Should be 700, heat:heat Permssions for /etc/ceilometer/ are too loose (755). Should be 700, ceilometer:ceilometer Will leave for you to evaluate best permissions. ** Description changed: [Impact] Default configuration file permissions may allow read by unprivileged users other than the package system account. [Test Case] sudo apt install -common ls -l /etc/ - a) folder will be readable b) files may be readable - + a) folder may be readable b) files may be readable [Regression Potential] + [Original Bug Report] Example given by CPE: Permssions for /etc/openstack-dashboard/ are too loose (755). Should be 700, horizon:horizon Permssions for /etc/cinder/ are too loose (750). Should be 700, cinder:cinder Permssions for /etc/glance/ are too loose (755). Should be 700, glance:glance Permssions for /etc/heat/ are too loose (750). Should be 700, heat:heat Permssions for /etc/ceilometer/ are too loose (755). Should be 700, ceilometer:ceilometer Will leave for you to evaluate best permissions. ** Description changed: [Impact] Default configuration file permissions may allow read by unprivileged users other than the package system account. [Test Case] sudo apt install -common ls -l /etc/ a) folder may be readable b) files may be readable [Regression Potential] + Medium; if a openstack daemon can't read its config files, it won't startup; however most packages are covered by DEP-8 tests and we'll test + a full OpenStack deployment using the normal SRU testing process: + https://wiki.ubuntu.com/OpenStack/StableReleaseUpdates [Original Bug Report] Example given by CPE: Permssions for /etc/openstack-dashboard/ are too loose (755). Should be 700, horizon:horizon Permssions for /etc/cinder/ are too loose (750). Should be 700, cinder:cinder Permssions for /etc/glance/ are too loose (755). Should be 700, glance:glance Permssions for /etc/heat/ are too loose (750). Should be 700, heat:heat Permssions for /etc/ceilometer/ are too loose (755). Should be 700, ceilometer:ceilometer Will leave for you to evaluate best permissions. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
heat fix is stuck in artful-proposed (Marked Fix Committed). ** Also affects: heat (Ubuntu Artful) Importance: Undecided Status: New ** Also affects: heat (Ubuntu Zesty) Importance: Undecided Status: New ** Changed in: heat (Ubuntu Artful) Status: New => Fix Committed ** Changed in: heat (Ubuntu Artful) Importance: Undecided => Medium ** Changed in: heat (Ubuntu Zesty) Importance: Undecided => Medium ** Changed in: heat (Ubuntu Zesty) Status: New => In Progress ** Also affects: horizon (Ubuntu) Importance: Undecided Status: New ** Changed in: horizon (Ubuntu Artful) Status: New => Fix Committed ** Changed in: horizon (Ubuntu Artful) Importance: Undecided => Medium ** Changed in: horizon (Ubuntu Zesty) Importance: Undecided => Medium ** Changed in: horizon (Ubuntu Zesty) Status: New => Triaged ** Changed in: horizon (Ubuntu Zesty) Status: Triaged => In Progress ** Changed in: horizon (Ubuntu Zesty) Status: In Progress => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1675088] Re: Restrict permissions on Openstack installation
** Also affects: heat (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1675088 Title: Restrict permissions on Openstack installation To manage notifications about this bug go to: https://bugs.launchpad.net/cloud-archive/+bug/1675088/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs