On Mon, Sep 26, 2016 at 4:32 PM, Jeffrey Zhang
wrote:
> Hey Sam,
>
> Yes. world readable is bad. But writable for current running service is
> also bad.
>
> But in nova.conf, the rootwrap_config is configurable. It can be changed
> to a custom file to gain root permission.
>
> # nova.conf
> rootw
On Mon, Sep 26, 2016 at 3:03 PM, Christian Berendt <
bere...@betacloud-solutions.de> wrote:
> > On 26 Sep 2016, at 16:43, Sam Yaple wrote:
> >
> > So this actually makes it _less_ secure. The 0600 permissions were
> chosen for a reason. The nova.conf file has passwords to the DB and
> rabbitmq.
Hey Sam,
Yes. world readable is bad. But writable for current running service is
also bad.
But in nova.conf, the rootwrap_config is configurable. It can be changed to
a custom file to gain root permission.
# nova.conf
rootwrap_config = /tmp/rootrwap.conf
# /tmp/rootwrap.conf
[DEFAULT]
filters_p
On Mon, Sep 26, 2016 at 11:03 PM, Christian Berendt <
bere...@betacloud-solutions.de> wrote:
> Confirmed. Please do not make configuration files world readable.
>
> We use volumes for the configuration file directories. Why do we not
> simply use read only volumes? This way we do not have to touch
(not for usage questions)"
Subject: Re: [openstack-dev] [kolla] the user in container should NOT have
write permission for configuration file
On Mon, Sep 26, 2016 at 1:18 PM, Jeffrey Zhang
mailto:zhang.lei@gmail.com>> wrote:
Using the same user for running service and the configuration
> On 26 Sep 2016, at 16:43, Sam Yaple wrote:
>
> So this actually makes it _less_ secure. The 0600 permissions were chosen for
> a reason. The nova.conf file has passwords to the DB and rabbitmq. If the
> configuration files are world readable then those passwords could leak to an
> unprivile
On Mon, Sep 26, 2016 at 1:18 PM, Jeffrey Zhang
wrote:
> Using the same user for running service and the configuration files is
> a danger. i.e. the service running user shouldn't change the
> configuration files.
>
> a simple attack like:
> * a hacker hacked into nova-api container with nova user
Using the same user for running service and the configuration files is
a danger. i.e. the service running user shouldn't change the
configuration files.
a simple attack like:
* a hacker hacked into nova-api container with nova user
* he can change the /etc/nova/rootwrap.conf file and
/etc/nova/roo