Public bug reported: Using keystone against an external mysql database, users have access to manage the keystone database, ie:
ubuntu@ip-10-12-14-3:~$ keystone-manage user add tester p@ssword ubuntu@ip-10-12-14-3:~$ keystone-manage role add Admin ubuntu@ip-10-12-14-3:~$ keystone-manage role grant Admin tester Permissions on either /usr/bin/keystone-manage or /etc/keystone/keystone.conf need to be tightened. I believe this is not an issue with the default package installation since keystone defaults to /var/lib/keystone/keystone.db as its backing store, which is owned 0755 by user keystone (perhaps this should also be restricted to 0600?) ** Affects: keystone (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to keystone in Ubuntu. https://bugs.launchpad.net/bugs/900553 Title: Any user can manage the keystone database via keystone-manage To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/keystone/+bug/900553/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs