 1bf55f1eb0
			
		
	
	1bf55f1eb0
	
	
	
		
			
			All OSSN authors, added under the "Author:" metadata field Change-Id: I81771dd3ec8d2c133ebc6ddf9f2c5f0f958d603a Closes-Bug: #1599064
		
			
				
	
	
		
			46 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			46 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| Keystone configuration should not be world readable
 | |
| ---
 | |
| 
 | |
| ### Summary ###
 | |
| In some deployments keystone.conf which contains confidential information, is
 | |
| set to world readable.
 | |
| 
 | |
| ### Affected Services / Software ###
 | |
| Keystone, DevStack, Deployment
 | |
| 
 | |
| ### Discussion ###
 | |
| It is important that deployers of OpenStack ensure that keystone.conf is not
 | |
| world readable. In some deployments the keystone configuration file is readable
 | |
| by all users (and processes) on the installation system. This file should be
 | |
| set with the most restrictive permissions that allow the system to continue
 | |
| proper operations.
 | |
| 
 | |
| In particular, the password configuration of the LDAP section and the
 | |
| admin_token contain secret information:
 | |
| 
 | |
| ---- being example config snippet ----
 | |
| [ldap]
 | |
| url = ldap://localhost
 | |
| user = dc=Manager,dc=example,dc=com
 | |
| password = None <- should be secret
 | |
| suffix = cn=example,cn=com
 | |
| use_dumb_member = False
 | |
| allow_subtree_delete = False
 | |
| dumb_member = cn=dumb,dc=example,dc=com
 | |
| 
 | |
| [DEFAULT]
 | |
| admin_token = passw0rd <- should be secret
 | |
| ---- end example config snippet ----
 | |
| 
 | |
| ### Recommended Actions ###
 | |
| Ensure that in your deployment keystone.conf uses the most restrictive
 | |
| permissions that allow the system to continue proper operations.
 | |
| 
 | |
| ### Contacts / References ###
 | |
| Author: Robert Clark, HP
 | |
| This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252
 | |
| Original LaunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252
 | |
| OpenStack Security ML : openstack-security@lists.openstack.org
 | |
| OpenStack Security Group : https://launchpad.net/~openstack-ossg
 | |
| CVE: CVE-2013-1977
 |