Overlay/sys-cluster/nova/files/nova-folsom-4-CVE-2013-2030...

37 lines
1.3 KiB
Diff
Raw Normal View History

2013-09-30 23:54:05 +04:00
From 74aa04e2ca7942cb1e1a86dcbaffeb72d260ccd7 Mon Sep 17 00:00:00 2001
From: Russell Bryant <rbryant@redhat.com>
Date: Wed, 1 May 2013 09:41:57 -0400
Subject: [PATCH] Remove insecure default for signing_dir option.
The sample api-paste.ini file included an insecure value for the
signing_dir option for the keystone authtoken middleware. Comment out
the option so that we just rely on the default behavior by default.
Fix bug 1174608.
Conflicts:
etc/nova/api-paste.ini
Change-Id: I6189788953d789c34456bbe150b8ed6ce6f68403
(cherry picked from commit 58d6879b1caaa750c39c8e452a0634c24ffef2ce)
---
etc/nova/api-paste.ini | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/etc/nova/api-paste.ini b/etc/nova/api-paste.ini
index 3970974..95307b2 100644
--- a/etc/nova/api-paste.ini
+++ b/etc/nova/api-paste.ini
@@ -124,4 +124,7 @@ auth_protocol = http
admin_tenant_name = %SERVICE_TENANT_NAME%
admin_user = %SERVICE_USER%
admin_password = %SERVICE_PASSWORD%
-signing_dir = /tmp/keystone-signing-nova
+# signing_dir is configurable, but the default behavior of the authtoken
+# middleware should be sufficient. It will create a temporary directory
+# in the home directory for the user the nova process is running as.
+#signing_dir = /var/lib/nova/keystone-signing
--
1.8.1.5