Restrict permissions on Openstack installation

For >=Mitaka please.

As a general rule, directories and files should not be writeable as the unpriviledged user, only be root, so the template should be:

   root:<openstack-users-group>
   0750 permissions

for example:

   root:cinder
   0750

Ive gone through the above projects and made the apporiate changes.

We'll need bug tasks for impacted packages in Ubuntu if we're going to SRU this.

@Chuck

can you make sure things are inline with my comments in #2 - the current set of commits switch everything to 0700 which is don't think is right.

There is also a Dashboard package error in Ocata.

Permissions for /etc/openstack-dashboard/ should be 700, www-data:www-data.
/var/lib/openstack-dashboard/secret_key should be 600, www-data:www-data.

It shouldn't be horizon:horizon.

Thanks!

heat fix is stuck in artful-proposed (Marked Fix Committed).

This bug was fixed in the package heat - 1:9.0.0~b1-0ubuntu2

---------------
heat (1:9.0.0~b1-0ubuntu2) artful; urgency=medium

  * No-change rebuild for sqlalchemy 1.1.x.

 -- James Page <email address hidden> Fri, 28 Apr 2017 10:04:45 +0100

Hello Joseph, or anyone else affected,

Accepted heat into zesty-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/heat/1:8.0.1-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

As part of a recent change in the Stable Release Update verification policy we would like to inform that for a bug to be considered verified for a given release a verification-done-$RELEASE tag needs to be added to the bug where $RELEASE is the name of the series the package that was tested (e.g. verification-done-xenial). Please note that the global 'verification-done' tag can no longer be used for this purpose.

Thank you!

# ls -l /etc | grep heat
drwx------ 3 heat heat 6 Jul 4 15:46 heat

# apt-cache policy heat-common
heat-common:
  Installed: 1:8.0.1-0ubuntu1
  Candidate: 1:8.0.1-0ubuntu1
  Version table:
 *** 1:8.0.1-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu zesty-proposed/main amd64 Packages
        100 /var/lib/dpkg/status
     1:8.0.0-0ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu zesty/main amd64 Packages

(NOTE that heat also forms part of the functional testing done for the 8.0.1 point release that this fix was included with).

This bug was fixed in the package heat - 1:8.0.1-0ubuntu1

---------------
heat (1:8.0.1-0ubuntu1) zesty; urgency=medium

  [ Chuck Short ]
  * d/heat-common.postinst: Make sure that /etc/heat has the appropriate
    permissions (LP: #1675088).

  [ James Page ]
  * New upstream stable release for OpenStack Ocata (LP: #1696139).

 -- James Page <email address hidden> Wed, 07 Jun 2017 16:02:28 +0100

The verification of the Stable Release Update for heat has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

heat is fix-released for pike cloud-archive

horizon was fix-released in 3:12.0.0~b1-0ubuntu1 for artful/pike.

Hello Joseph, or anyone else affected,

Accepted glance into ocata-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:ocata-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-ocata-needed to verification-ocata-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-ocata-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Marking Zesty as Won't Fix since it is no longer supported.

Marking horizon (Ubuntu) as Fix Released as this is fixed since Zesty/Ocata.

This was fixed since Ocata rather than Zesty/Ocata for horizon. Nonetheless it's fixed in all new horizon releases since Ocata.

Testing has completed successfully for glance in ocata-proposed:

root@x1:~# ls -al /etc/glance/
total 28
drwxr-x--- 3 root glance 4096 May 11 17:49 .

And ocata-proposed regression tests passed:

======
Totals
======
Ran: 102 tests in 1806.1829 sec.
 - Passed: 94
 - Skipped: 8
 - Expected Fail: 0
 - Unexpected Success: 0
 - Failed: 0
Sum of execute time for each test: 1104.3589 sec.

The verification of the Stable Release Update for glance has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

This bug was fixed in the package glance - 2:14.0.1-0ubuntu1~cloud0
---------------

 glance (2:14.0.1-0ubuntu1~cloud0) xenial-ocata; urgency=medium
 .
   [ Chuck Short ]
   * d/glance-common.postinst: Make sure the permissions on /etc/glance is
     set to 0700. (LP: #1675088)
 .
   [ Corey Bryant ]
   * New stable point release for OpenStack Ocata (LP: #1759855).
   * d/glance-common.postinst: Fix permissions on /etc/glance so that
     the glance user can actually access the directory (LP: #1675088).

Scoping any further remediation work for 20.04 cycle.

Permissions snippet from postinst should look something like:

    chown -R aodh:adm /var/log/aodh
    chmod 0750 /var/log/aodh
    chown -R root:aodh /etc/aodh
    chmod 0750 /etc/aodh
    chown -R aodh:aodh /var/lib/aodh

Missed:

chmod 0750 /var/lib/aodh

in #24