Ubuntu
glance package

Glance config files and logs are world-readable

Bug #862844 reported by Adam Gandelman
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
glance (Ubuntu)
Fix Released
High
Adam Gandelman
Ubuntu ubuntu-11.10
Oneiric
Fix Released
High
Adam Gandelman
Ubuntu ubuntu-11.10

Bug Description

/etc/glance/glance-regsitry.conf may contain database credentials (sql_connection). /etc/glance/glance-api.conf may contain credentials for various storage backends (swift, s3). It appears both may also contain keystone tokens. All of these files are installed world-readable (0644)

When verbose logging is enabled (it is by default), these settings are logged in corresponding log files in /var/log/glance on service startup. These logfiles are also created readable by anyone.

Dave Walker (davewalker)
Changed in glance (Ubuntu):
status: New → Confirmed
importance: Undecided → High
Changed in glance (Ubuntu Oneiric):
milestone: none → ubuntu-11.10
tags: added: server-o-rs
Adam Gandelman (gandelman-a)
Changed in glance (Ubuntu Oneiric):
assignee: nobody → Adam Gandelman (gandelman-a)
Adam Gandelman (gandelman-a)
Changed in glance (Ubuntu Oneiric):
status: Confirmed → In Progress
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

Debdiff attached glance_2011.3-0ubuntu3 -> glance_2011.3-0ubuntu4

Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "glance.debdiff" of this bug report has been identified as being a patch in the form of a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package glance - 2011.3-0ubuntu4

---------------
glance (2011.3-0ubuntu4) oneiric; urgency=low

  [ Adam Gandelman ]
  * debian/glance.postinst: Restrict permissions of /etc/glance/ and
    /var/log/glance/ (LP: #862844)
 -- Chuck Short <email address hidden> Fri, 30 Sep 2011 16:00:33 -0400

Changed in glance (Ubuntu Oneiric):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.