Public bug reported:

OpenStack services have no way to specify the permissions on log files
created; standards such as CIS set a default umask of 0027 however that
is not applied to units running under systemd.

This means that log files (and any other files or directories created by
a daemon) will have global read permissions by default.

As the systemd unit files are templated, we can update this fairly
easily for openstack services by adding the UMask=0027 directive to the
core template.

** Affects: openstack-pkg-tools (Ubuntu)
     Importance: High
         Status: Fix Committed

** Affects: openstack-pkg-tools (Ubuntu Focal)
     Importance: High
         Status: Fix Committed

** Also affects: openstack-pkg-tools (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: openstack-pkg-tools (Ubuntu Focal)
       Status: New => Fix Committed

** Changed in: openstack-pkg-tools (Ubuntu Focal)
   Importance: Undecided => High

You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

  security: set default umask for service to 0027

To manage notifications about this bug go to:

ubuntu-bugs mailing list

Reply via email to