oss-sec mailing list archives
CVE-2013-1977 - OpenStack keystone.conf insecure file permissions
From: Kurt Seifried <kseifried () redhat com>
Date: Fri, 19 Apr 2013 00:55:30 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 As reported: https://bugs.launchpad.net/keystone/+bug/1168252 The password configuration of LDAP and admin_token in keystone.conf should be secret to protect security information: [ldap] # url = ldap://localhost # user = dc=Manager,dc=example,dc=com # password = None <- should be secrect # suffix = cn=example,cn=com # use_dumb_member = False # allow_subtree_delete = False # dumb_member = cn=dumb,dc=example,dc=com [DEFAULT] admin_token = passw0rd <- should be secrect Red Hat has a modified installer, we install the file as: - -rw-------. 1 keystone keystone 10235 Apr 19 00:21 /etc/keystone/keystone.conf Unfortunately when we hardened our installer I didn't check the upstream distribution for the same flaw, something I should have done. I'm now going to review the other hardening we did to ensure upstream is aware of these potential problems. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) iQIcBAEBAgAGBQJRcOphAAoJEBYNRVNeJnmTBe4QAKTD9ZwlHAxy4T8Yvyx3kf9L gKnO6/YjLPZfgX0YFw6jseUJ9dYkPwHNEBhPISTgW+ZYHvITD2c32SsbBtHwp41y DgJkYuvUy7QL0h9JUKz922pIMsTCTw1vxudVA1v9szUFOeNUkuxYp+sOU+XjLVcX 12sWjhlrclpyKeVjxehE2gK+X8HONdHG/iyuYYm3Xjx9U0w5T3GZ/LJuBipaW/K6 N8DNygS5cUX7QXjQ5Cpm3JTW9fTu4Lkx+XL6EoSPlkE5uYeoxLRV2aGdCwtgKLJl dwJXO5pgQMSXEee2c6j2JrbcFlY0Pu3GZF2BP5ZRvFcOJs2A8VgmJYZJoNX9vLAd gtLuUNcAN3GJnhpvNUzf2UO4im/3+Y/7y6xQ+F54ud/3jE3BaPezoA3CSGeUg924 ygPSivWWztCYxTzxfadiJ382Lv77kFvu2+TGODa6HSm5EIa2PfgTwfq5kTYpbpqL ULdgwBrCPrcPzCe6uCt/DVumyOLVVdooYecHFop5+XtyliX1ja0Bl3dKCFoI3sSy lumhNJdPH/Q/0guyTqimTeTmLwc3WWqL9rhBLblKqSE138DqgaCJ3befjgyZt8mB 5sAQp7NvHu/UsoT4gJ0qjfetAo5ZLKpC3HCc6LIDpH3A4K4UtB5HAIANtgb9x+i4 B9A+8D2OtoJMwlh8To8A =Z0kN -----END PGP SIGNATURE-----
Current thread:
- CVE-2013-1977 - OpenStack keystone.conf insecure file permissions Kurt Seifried (Apr 18)
- Re: CVE-2013-1977 - OpenStack keystone.conf insecure file permissions Thierry Carrez (Apr 23)