Public bug reported:

OpenStack services have no way to specify the permissions on log files
created; standards such as CIS set a default umask of 0027 however that
is not applied to units running under systemd.

This means that log files (and any other files or directories created by
a daemon) will have global read permissions by default.

As the systemd unit files are templated, we can update this fairly
easily for openstack services by adding the UMask=0027 directive to the
core template.

** Affects: openstack-pkg-tools (Ubuntu)
     Importance: High
         Status: Fix Committed

** Affects: openstack-pkg-tools (Ubuntu Focal)
     Importance: High
         Status: Fix Committed

** Also affects: openstack-pkg-tools (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Changed in: openstack-pkg-tools (Ubuntu Focal)
       Status: New => Fix Committed

** Changed in: openstack-pkg-tools (Ubuntu Focal)
   Importance: Undecided => High

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1859412

Title:
  security: set default umask for service to 0027

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openstack-pkg-tools/+bug/1859412/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to