67b5ec2943
The OpenStack Security Notes are being migrated to the new security-doc repository that we use for the security guide. This patch migrates over the existing content of the old OSSN repository without any modification to content. Change-Id: I348d0591fc71c1174368fad7ef761e489c88ab9c
45 lines
1.5 KiB
Plaintext
45 lines
1.5 KiB
Plaintext
Keystone configuration should not be world readable
|
|
---
|
|
|
|
### Summary ###
|
|
In some deployments keystone.conf which contains confidential information, is
|
|
set to world readable.
|
|
|
|
### Affected Services / Software ###
|
|
Keystone, DevStack, Deployment
|
|
|
|
### Discussion ###
|
|
It is important that deployers of OpenStack ensure that keystone.conf is not
|
|
world readable. In some deployments the keystone configuration file is readable
|
|
by all users (and processes) on the installation system. This file should be
|
|
set with the most restrictive permissions that allow the system to continue
|
|
proper operations.
|
|
|
|
In particular, the password configuration of the LDAP section and the
|
|
admin_token contain secret information:
|
|
|
|
---- being example config snippet ----
|
|
[ldap]
|
|
url = ldap://localhost
|
|
user = dc=Manager,dc=example,dc=com
|
|
password = None <- should be secret
|
|
suffix = cn=example,cn=com
|
|
use_dumb_member = False
|
|
allow_subtree_delete = False
|
|
dumb_member = cn=dumb,dc=example,dc=com
|
|
|
|
[DEFAULT]
|
|
admin_token = passw0rd <- should be secret
|
|
---- end example config snippet ----
|
|
|
|
### Recommended Actions ###
|
|
Ensure that in your deployment keystone.conf uses the most restrictive
|
|
permissions that allow the system to continue proper operations.
|
|
|
|
### Contacts / References ###
|
|
This OSSN : https://bugs.launchpad.net/ossn/+bug/1168252
|
|
Original LaunchPad Bug : https://bugs.launchpad.net/devstack/+bug/1168252
|
|
OpenStack Security ML : openstack-security@lists.openstack.org
|
|
OpenStack Security Group : https://launchpad.net/~openstack-ossg
|
|
CVE: CVE-2013-1977
|