Ubuntu
keystone package

Any user can manage the keystone database via keystone-manage

Bug #900553 reported by Adam Gandelman
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystone (Ubuntu)
Fix Released
Undecided
Adam Gandelman

Bug Description

Using keystone against an external mysql database, users have access to manage the keystone database, ie:

ubuntu@ip-10-12-14-3:~$ keystone-manage user add tester p@ssword
ubuntu@ip-10-12-14-3:~$ keystone-manage role add Admin
ubuntu@ip-10-12-14-3:~$ keystone-manage role grant Admin tester

Permissions on either /usr/bin/keystone-manage or /etc/keystone/keystone.conf need to be tightened. I believe this is not an issue with the default package installation since keystone defaults to /var/lib/keystone/keystone.db as its backing store, which is owned 0755 by user keystone (perhaps this should also be restricted to 0600?)

Related branches

lp:~gandelman-a/ubuntu/precise/keystone/lp900553
Chuck Short (community): Approve
Diff: 29 lines (+9/-3)
2 files modified
debian/changelog (+7/-0)
debian/keystone.postinst (+2/-3)
lp:~ubuntu-server-dev/keystone/essex
lp:~openstack-ubuntu-packagers/keystone/ubuntu
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

On second look, /etc/keystone/keystone.conf ( like every other openstack component) stores its database credentials as plain text sqlalchemy string. This is should be installed non-world readable.

Marc Deslauriers (mdeslaur)
security vulnerability: no → yes
Revision history for this message
Evan Broder (broder) wrote :

I'm going to go ahead and unsubscribe ubuntu-sponsors from this bug - branch merge requests are automatically added to the sponsorship queue.

Revision history for this message
Rick Spencer (rick-rickspencer3) wrote :

Adam, I'm assigning to you so you can track and close when done

Changed in keystone (Ubuntu):
assignee: nobody → Adam Gandelman (gandelman-a)
Revision history for this message
Adam Gandelman (gandelman-a) wrote :

I think the branch confusion caused this not to be closed out by Janitor? Either way, it was addressed in keystone 2012.1~e2~20111202.1379-0ubuntu2.

Changed in keystone (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.