openstack/openstack-ansible
Code Issues Proposed changes

Set permissions on user_secrets.yml to 0600

Browse Source 
The permissions on the user_secrets file are too open, adjust this so that
after using pw-token-gen.py it sets the file to be 0600 for
user_secrets.yml and the backup tar file that is created. Additionally,
add a note in the README to recommend adjusting the permissions when not
utilising the pw-token-gen.py

Change-Id: I90ffacd83a89a92f48cf160e5b351e1254e9c73a
Closes-Bug: #1461997
This commit is contained in:
Andy McCrae 2015-06-11 11:21:52 +01:00 committed by Kevin Carter
parent e1862a190b
commit 3f8905caee
2 changed files with 3 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.rst
View File

@ -45,6 +45,7 @@ Notes
* The lxc network is created within the *lxcbr0* interface. This supports both NAT networks as well as more traditional networking. If NAT is enabled (default) the IPtables rules will be created along with the interface as a post-up processes. If you ever need to recreate the rules and or restart the dnsmask process you can bounce the interface IE: ``ifdown lxcb0; ifup lxcbr0`` or you can use the ``lxc-system-manage`` command.
* The tool ``lxc-system-manage`` is available on all lxc hosts and can assist in recreating parts of the LXC system whenever its needed.
* Inventory is generated by executing the ``playbooks/inventory/dynamic_inventory.py`` script. This is configured in the ``playbooks/ansible.cfg`` file.
* If you don't use the pw-token-gen.py script you will want to ensure the permissions on /etc/openstack_deploy/user_secrets.yml are more secure. ``chmod 0600 /etc/openstack_deploy/user_secrets.yml``
Bugs and Blueprints

2
scripts/pw-token-gen.py
View File

@ -186,6 +186,7 @@ def main():
print('Creating backup file [ %s ]' % user_vars_tar_file)
# Create a tarball if needed
with tarfile.open(user_vars_tar_file, 'a') as tar:
os.chmod(user_vars_tar_file, 0o600)
basename = os.path.basename(user_vars_file)
# Time stamp the password file in UTC
utctime = datetime.datetime.utcnow()
@ -194,6 +195,7 @@ def main():
tar.add(user_vars_file, arcname=backup_name)
with open(user_vars_file, 'wb') as f:
os.chmod(user_vars_file, 0o600)
f.write(
yaml.safe_dump(
user_vars,