Tighten permissions on keystone directories

Make keystone actually run as keystone user, not as nginx/www-data. Change-Id: I2cbc6685abe2d99c103fcf856f83c373517f007f
2022-01-14 13:03:27 +01:00 · 2022-01-14 13:03:27 +01:00 · 77f45dd387
commit 77f45dd387
parent 5fd6251f22
5 changed files with 23 additions and 8 deletions
--- a/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-keystone-install/tasks/bootstrap.yml
@ -109,8 +109,8 @@
    name: "/etc/keystone"
    state: directory
    owner: "keystone"
-    group: "keystone"
-    mode: 0755
+    group: "{{ nginx_user }}"
+    mode: 0750

 - name: "Write keystone configuration from template"
  template:
@ -118,7 +118,7 @@
    dest: "/etc/keystone/keystone.conf"
    owner: "keystone"
    group: "keystone"
-    mode: 0755
+    mode: 0700

 - name: "Apply/Update keystone DB Schema"
  command: keystone-manage db_sync
@ -127,13 +127,13 @@
 - name: "Setup Fernet key repositories"
  command: >
    keystone-manage fernet_setup
-    --keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}"
+    --keystone-user="keystone" --keystone-group="{{ nginx_user }}"
  environment: "{{ bifrost_venv_env }}"

 - name: "Setup Keystone Credentials"
  command: >
    keystone-manage credential_setup
-    --keystone-user="{{ nginx_user }}" --keystone-group="{{ nginx_user }}"
+    --keystone-user="keystone" --keystone-group="{{ nginx_user }}"
  environment: "{{ bifrost_venv_env }}"

 - name: "Setting external Keystone public URL"
--- a/playbooks/roles/bifrost-keystone-install/templates/uwsgi-keystone.ini.j2
+++ b/playbooks/roles/bifrost-keystone-install/templates/uwsgi-keystone.ini.j2
@ -4,6 +4,7 @@ master = true
 processes = 2
 threads = 2
 no-orphans = true
+# The socket will be read by nginx which is running as nginx_user
 chmod-socket = 660
 virtualenv = {{ bifrost_venv_dir }}

--- a/playbooks/roles/bifrost-uwsgi-install/tasks/bootstrap.yml
+++ b/playbooks/roles/bifrost-uwsgi-install/tasks/bootstrap.yml
@ -18,6 +18,14 @@
  register: uwsgi_install_prefix
  environment: "{{ bifrost_venv_env }}"

+- name: "Ensure /run/uwsgi exists and has the right permissions"
+  file:
+    name: "/run/uwsgi"
+    state: directory
+    owner: "{{ nginx_user }}"
+    group: "{{ nginx_user }}" # TODO(TheJulia): Split webserver user/group.
+    mode: 0770  # NOTE(dtantsur): needs to be writable by group members
+
 - name: "Ensure /etc/uwsgi exists"
  file:
    name: "/etc/uwsgi"
--- a/playbooks/roles/bifrost-uwsgi-install/templates/uwsgi@.service.j2
+++ b/playbooks/roles/bifrost-uwsgi-install/templates/uwsgi@.service.j2
@ -5,9 +5,8 @@ Description=%i uWSGI service
 ExecStart={{ uwsgi_install_prefix.stdout | default('/usr/bin') }}/uwsgi \
          --ini /etc/uwsgi/apps-enabled/%i.ini
 SyslogIdentifier=%i
-RuntimeDirectory=uwsgi
-User={{ nginx_user }}
-Group={{ nginx_user }}
+# Has to be root, otherwise uWSGI won't be able to drop privileges
+User=root
 Restart=on-failure
 KillSignal=SIGQUIT
 Type=notify
--- a/releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml
+++ b/releasenotes/notes/keystone-perm-4ce28fff2edd677a.yaml
@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    The keystone configuration is no longer world-readable.
+  - |
+    The keystone process now runs as the ``keystone`` user, not as the nginx
+    user.