Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Sam Yaple
On Mon, Sep 26, 2016 at 4:32 PM, Jeffrey Zhang wrote: > Hey Sam, > > Yes. world readable is bad. But writable for current running service is > also bad. > > But in nova.conf, the rootwrap_config is configurable. It can be changed > to a custom file to gain root

Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Sam Yaple
On Mon, Sep 26, 2016 at 3:03 PM, Christian Berendt < bere...@betacloud-solutions.de> wrote: > > On 26 Sep 2016, at 16:43, Sam Yaple wrote: > > > > So this actually makes it _less_ secure. The 0600 permissions were > chosen for a reason. The nova.conf file has passwords to the

Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Jeffrey Zhang
Hey Sam, Yes. world readable is bad. But writable for current running service is also bad. But in nova.conf, the rootwrap_config is configurable. It can be changed to a custom file to gain root permission. # nova.conf rootwrap_config = /tmp/rootrwap.conf # /tmp/rootwrap.conf [DEFAULT]

Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Jeffrey Zhang
On Mon, Sep 26, 2016 at 11:03 PM, Christian Berendt < bere...@betacloud-solutions.de> wrote: > Confirmed. Please do not make configuration files world readable. > > We use volumes for the configuration file directories. Why do we not > simply use read only volumes? This way we do not have to

Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Steven Dake (stdake)
Sam is correct here. This is the why behind the how ☺ Regards -steve From: Sam Yaple Reply-To: "s...@yaple.net" , "OpenStack Development Mailing List (not for usage questions)" Date: Monday, September 26, 2016 at 7:43 AM

Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Christian Berendt
> On 26 Sep 2016, at 16:43, Sam Yaple wrote: > > So this actually makes it _less_ secure. The 0600 permissions were chosen for > a reason. The nova.conf file has passwords to the DB and rabbitmq. If the > configuration files are world readable then those passwords could leak

Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Sam Yaple
On Mon, Sep 26, 2016 at 1:18 PM, Jeffrey Zhang wrote: > Using the same user for running service and the configuration files is > a danger. i.e. the service running user shouldn't change the > configuration files. > > a simple attack like: > * a hacker hacked into

Re: [openstack-dev] [kolla] the user in container should NOT have write permission for configuration file

2016-09-26 Thread Jeffrey Zhang
Using the same user for running service and the configuration files is a danger. i.e. the service running user shouldn't change the configuration files. a simple attack like: * a hacker hacked into nova-api container with nova user * he can change the /etc/nova/rootwrap.conf file and