> On 26 Sep 2016, at 16:43, Sam Yaple <[email protected]> wrote: > > So this actually makes it _less_ secure. The 0600 permissions were chosen for > a reason. The nova.conf file has passwords to the DB and rabbitmq. If the > configuration files are world readable then those passwords could leak to an > unprivileged user on the host.
Confirmed. Please do not make configuration files world readable. We use volumes for the configuration file directories. Why do we not simply use read only volumes? This way we do not have to touch the current implementation (files are owned by the service user with 0600 permissions) and can make the configuration files read only. Christian.
signature.asc
Description: Message signed with OpenPGP using GPGMail
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
