[Yahoo-eng-team] [Bug 1611171] Re: re-runs self via sudo
Reviewed: https://review.openstack.org/371920 Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=0d4438368fd769a0e6b83bfdaf1cb980f888c504 Submitter: Zuul Branch:master commit 0d4438368fd769a0e6b83bfdaf1cb980f888c504 Author: Iswarya_VakatiDate: Sat Sep 17 17:07:16 2016 +0530 Don't attempt to escalate manila-manage privileges Remove code which allowed manila-manage to attempt to escalate privileges so that configuration files can be read by users who normally wouldn't have access, but do have sudo access. Change-Id: Ie3bf9a81ee8d723cd8618643fa9d7382462aae42 Closes-Bug:#1611171 ** Changed in: manila Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1611171 Title: re-runs self via sudo Status in Cinder: Fix Released Status in Designate: Fix Released Status in ec2-api: Fix Released Status in gce-api: Fix Released Status in Manila: Fix Released Status in masakari: Fix Released Status in OpenStack Compute (nova): Fix Released Status in OpenStack Compute (nova) newton series: Fix Committed Status in OpenStack Security Advisory: Won't Fix Status in Rally: Fix Released Bug description: Hello, I'm looking through Designate source code to determine if is appropriate to include in Ubuntu Main. This isn't a full security audit. This looks like trouble: ./designate/cmd/manage.py def main(): CONF.register_cli_opt(category_opt) try: utils.read_config('designate', sys.argv) logging.setup(CONF, 'designate') except cfg.ConfigFilesNotFoundError: cfgfile = CONF.config_file[-1] if CONF.config_file else None if cfgfile and not os.access(cfgfile, os.R_OK): st = os.stat(cfgfile) print(_("Could not read %s. Re-running with sudo") % cfgfile) try: os.execvp('sudo', ['sudo', '-u', '#%s' % st.st_uid] + sys.argv) except Exception: print(_('sudo failed, continuing as if nothing happened')) print(_('Please re-run designate-manage as root.')) sys.exit(2) This is an interesting decision -- if the configuration file is _not_ readable by the user in question, give the executing user complete privileges of the user that owns the unreadable file. I'm not a fan of hiding privilege escalation / modifications in programs -- if a user had recently used sudo and thus had the authentication token already stored for their terminal, this 'hidden' use of sudo may be unexpected and unwelcome, especially since it appears that argv from the first call leaks through to the sudo call. Is this intentional OpenStack style? Or unexpected for you guys too? (Feel free to make this public at your convenience.) Thanks To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1611171/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1743922] Re: Choice of image source even when file is the only option
Reviewed: https://review.openstack.org/554504 Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=63ab3606c049429d9294a28ef2d6d0b2e0ac3d85 Submitter: Zuul Branch:master commit 63ab3606c049429d9294a28ef2d6d0b2e0ac3d85 Author: DongjxDate: Tue Mar 20 19:01:05 2018 +0800 Delete choice of image source when file is the only option Change-Id: I4b4960722a48b7fb7758062539d7dd6a70f933df Closes-Bug: #1743922 ** Changed in: horizon Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1743922 Title: Choice of image source even when file is the only option Status in OpenStack Dashboard (Horizon): Fix Released Bug description: the current default settings only allow for an image to be uploaded by file, not URL as was relevant in older versions of cinder, but horizon still shows a selector on the create images page. If the option for upload via URL is not enabled, a selector should not be shown. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1743922/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1754359] Re: Apache configuration missing
The default configuration provided by Ubuntu is correct. We are discouraging creating a vhost on port 35357 because it is not needed as of the Queens release. This is also not a documentation bug, if there is a problem with Ubuntu's packaging it should be addressed with the Ubuntu cloud team. In this case I do not believe there is a problem with the default Apache file they've provided. ** Changed in: keystone Status: Triaged => Invalid -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1754359 Title: Apache configuration missing Status in OpenStack Identity (keystone): Invalid Bug description: - [ ] This doc is inaccurate in this way: __ - [X] This is a doc addition request. - [ ] I have a fix to the document that I can paste below including example: input and output. Bellow the good apache2 configuration for keystone : File : /etc/apache2/sites-available/keystone.conf Listen 5000 Listen 35357 WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined Require all granted WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined Require all granted Default configuration but wrong : Listen 5000 WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined = 2.4> Require all granted Order allow,deny Allow from all Alias /identity /usr/bin/keystone-wsgi-public SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On DISTRIB_DESCRIPTION="Ubuntu 16.04.4 LTS" OpenStack Version : Queens To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1754359/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
[Yahoo-eng-team] [Bug 1758486] Re: nova cant attach volume, unathorized
** Also affects: cinder Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Compute (nova). https://bugs.launchpad.net/bugs/1758486 Title: nova cant attach volume, unathorized Status in Cinder: New Status in OpenStack Compute (nova): New Bug description: ater upgrade to queens, nova unable to attach volume from cinder. ``` 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi [req-6cb77dfe-f718-42d5-a83a-10fa80dea989 fa4ca618dd5247a0841adeac574b54d6 7265d9424e8e4719aa192b08b6d0227b - default default] Unexpected exception in API method: Unauthorized: The request you have made requires authentication. (HTTP 401) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi Traceback (most recent call last): 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/api/openstack/wsgi.py", line 788, in wrapped 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return f(*args, **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/api/validation/__init__.py", line 108, in wrapper 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return func(*args, **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/api/validation/__init__.py", line 108, in wrapper 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return func(*args, **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/api/openstack/compute/volumes.py", line 336, in create 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi supports_multiattach=supports_multiattach) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/compute/api.py", line 203, in inner 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return function(self, context, instance, *args, **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/compute/api.py", line 151, in inner 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return f(self, context, instance, *args, **kw) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/compute/api.py", line 3940, in attach_volume 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi volume = self.volume_api.get(context, volume_id) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/volume/cinder.py", line 291, in wrapper 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi res = method(self, ctx, *args, **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/volume/cinder.py", line 313, in wrapper 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi res = method(self, ctx, volume_id, *args, **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/lib/python2.7/dist-packages/nova/volume/cinder.py", line 379, in get 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi context, microversion=microversion).volumes.get(volume_id) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/local/lib/python2.7/dist-packages/cinderclient/v2/volumes.py", line 308, in get 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return self._get("/volumes/%s" % volume_id, "volume") 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/local/lib/python2.7/dist-packages/cinderclient/base.py", line 321, in _get 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi resp, body = self.api.client.get(url) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/local/lib/python2.7/dist-packages/cinderclient/client.py", line 199, in get 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return self._cs_request(url, 'GET', **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/local/lib/python2.7/dist-packages/cinderclient/client.py", line 190, in _cs_request 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi return self.request(url, method, **kwargs) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi File "/usr/local/lib/python2.7/dist-packages/cinderclient/client.py", line 176, in request 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi raise exceptions.from_response(resp, body) 2018-03-24 09:24:12.781 23797 ERROR nova.api.openstack.wsgi Unauthorized: The request you have made requires authentication. (HTTP 401) 2018-03-24 09:24:12.781