On Mon, Sep 26, 2016 at 4:32 PM, Jeffrey Zhang
wrote:
> Hey Sam,
>
> Yes. world readable is bad. But writable for current running service is
> also bad.
>
> But in nova.conf, the rootwrap_config is configurable. It can be changed
> to a custom file to gain root
On Mon, Sep 26, 2016 at 3:03 PM, Christian Berendt <
bere...@betacloud-solutions.de> wrote:
> > On 26 Sep 2016, at 16:43, Sam Yaple wrote:
> >
> > So this actually makes it _less_ secure. The 0600 permissions were
> chosen for a reason. The nova.conf file has passwords to the
Hey Sam,
Yes. world readable is bad. But writable for current running service is
also bad.
But in nova.conf, the rootwrap_config is configurable. It can be changed to
a custom file to gain root permission.
# nova.conf
rootwrap_config = /tmp/rootrwap.conf
# /tmp/rootwrap.conf
[DEFAULT]
On Mon, Sep 26, 2016 at 11:03 PM, Christian Berendt <
bere...@betacloud-solutions.de> wrote:
> Confirmed. Please do not make configuration files world readable.
>
> We use volumes for the configuration file directories. Why do we not
> simply use read only volumes? This way we do not have to
Sam is correct here. This is the why behind the how ☺
Regards
-steve
From: Sam Yaple
Reply-To: "s...@yaple.net" , "OpenStack Development Mailing
List (not for usage questions)"
Date: Monday, September 26, 2016 at 7:43 AM
> On 26 Sep 2016, at 16:43, Sam Yaple wrote:
>
> So this actually makes it _less_ secure. The 0600 permissions were chosen for
> a reason. The nova.conf file has passwords to the DB and rabbitmq. If the
> configuration files are world readable then those passwords could leak
On Mon, Sep 26, 2016 at 1:18 PM, Jeffrey Zhang
wrote:
> Using the same user for running service and the configuration files is
> a danger. i.e. the service running user shouldn't change the
> configuration files.
>
> a simple attack like:
> * a hacker hacked into
Using the same user for running service and the configuration files is
a danger. i.e. the service running user shouldn't change the
configuration files.
a simple attack like:
* a hacker hacked into nova-api container with nova user
* he can change the /etc/nova/rootwrap.conf file and