From 8a9e4089aab7a7f09bbb6016a2324c71a88724d9 Mon Sep 17 00:00:00 2001 From: Johannes Grassler Date: Fri, 16 Sep 2016 10:01:07 +0200 Subject: [PATCH] Fix CVE-2016-7404 This commit is a bare-bones stable/mitaka backport of the fix for CVE-2016-7404. It only retains * Permissions for /etc/sysconfig/heat-params inside Magnum created instances are tightened to 0600 (used to be 0755). from the original patch. This was done for two reasons: * Since stable/mitaka only passes tokens (which expire eventually) an attacker would have to gain access to the instance within a very short time window (the token expiration time). * Backporting the remaining changes would have required backporting the trusts infrastructure that was only completed in stable/newton. This would mean a considerable change in the stable/mitaka default behaviour. Please note, that this change does not apply apply to existing clusters. They will have to be deleted and rebuilt to benefit from these changes. (cherry picked from commit 0bb0d6486d6771ee21bbf897a091b1aa59e01b22) Change-Id: I329d29cdcce2225f8aa5b57852e6a37d4f8aaa3e --- .../kubernetes/fragments/write-heat-params-master.yaml | 2 +- magnum/templates/mesos/fragments/write-heat-params.yaml | 2 +- magnum/templates/swarm/fragments/write-heat-params.yaml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml b/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml index 91d99c56c1..8352144d72 100644 --- a/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml +++ b/magnum/templates/kubernetes/fragments/write-heat-params-master.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | KUBE_API_PUBLIC_ADDRESS="$KUBE_API_PUBLIC_ADDRESS" KUBE_API_PRIVATE_ADDRESS="$KUBE_API_PRIVATE_ADDRESS" diff --git a/magnum/templates/mesos/fragments/write-heat-params.yaml b/magnum/templates/mesos/fragments/write-heat-params.yaml index 51b7ff57b5..b25fe40543 100644 --- a/magnum/templates/mesos/fragments/write-heat-params.yaml +++ b/magnum/templates/mesos/fragments/write-heat-params.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | MESOS_MASTERS_IPS="$MESOS_MASTERS_IPS" EXECUTOR_REGISTRATION_TIMEOUT="$EXECUTOR_REGISTRATION_TIMEOUT" diff --git a/magnum/templates/swarm/fragments/write-heat-params.yaml b/magnum/templates/swarm/fragments/write-heat-params.yaml index 873c9c09fb..63c4c8af92 100644 --- a/magnum/templates/swarm/fragments/write-heat-params.yaml +++ b/magnum/templates/swarm/fragments/write-heat-params.yaml @@ -3,7 +3,7 @@ merge_how: dict(recurse_array)+list(append) write_files: - path: /etc/sysconfig/heat-params owner: "root:root" - permissions: "0644" + permissions: "0600" content: | WAIT_HANDLE="$WAIT_HANDLE" ETCD_DISCOVERY_URL="$ETCD_DISCOVERY_URL"