Public bug reported: OpenStack services have no way to specify the permissions on log files created; standards such as CIS set a default umask of 0027 however that is not applied to units running under systemd.
This means that log files (and any other files or directories created by a daemon) will have global read permissions by default. As the systemd unit files are templated, we can update this fairly easily for openstack services by adding the UMask=0027 directive to the core template. ** Affects: openstack-pkg-tools (Ubuntu) Importance: High Status: Fix Committed ** Affects: openstack-pkg-tools (Ubuntu Focal) Importance: High Status: Fix Committed ** Also affects: openstack-pkg-tools (Ubuntu Focal) Importance: Undecided Status: New ** Changed in: openstack-pkg-tools (Ubuntu Focal) Status: New => Fix Committed ** Changed in: openstack-pkg-tools (Ubuntu Focal) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859412 Title: security: set default umask for service to 0027 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openstack-pkg-tools/+bug/1859412/+subscriptions -- ubuntu-bugs mailing list email@example.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs