| *** salv-orlando has quit IRC | 00:12 | |
| *** salv-orlando has joined #openstack-security | 00:13 | |
| *** AlexeyAbashkin has joined #openstack-security | 00:17 | |
| *** salv-orlando has quit IRC | 00:17 | |
| *** AlexeyAbashkin has quit IRC | 00:21 | |
| *** liverpooler has joined #openstack-security | 01:11 | |
| *** salv-orlando has joined #openstack-security | 01:14 | |
| *** salv-orlando has quit IRC | 01:19 | |
| *** liujiong has joined #openstack-security | 01:23 | |
| *** chyka_ has quit IRC | 01:29 | |
| *** dave-mccowan has joined #openstack-security | 01:36 | |
| *** aselius has quit IRC | 02:08 | |
| *** chyka has joined #openstack-security | 02:13 | |
| *** salv-orlando has joined #openstack-security | 02:15 | |
| *** AlexeyAbashkin has joined #openstack-security | 02:16 | |
| *** chyka has quit IRC | 02:18 | |
| *** salv-orlando has quit IRC | 02:21 | |
| *** AlexeyAbashkin has quit IRC | 02:21 | |
| *** gagehugo has quit IRC | 02:42 | |
| *** gyee_ has quit IRC | 02:55 | |
| *** dave-mccowan has quit IRC | 03:12 | |
| *** dave-mccowan has joined #openstack-security | 03:13 | |
| *** dave-mcc_ has joined #openstack-security | 03:16 | |
| *** salv-orlando has joined #openstack-security | 03:17 | |
| *** dave-mccowan has quit IRC | 03:18 | |
| *** salv-orlando has quit IRC | 03:23 | |
| *** AlexeyAbashkin has joined #openstack-security | 04:16 | |
| *** salv-orlando has joined #openstack-security | 04:19 | |
| *** chyka has joined #openstack-security | 04:21 | |
| *** AlexeyAbashkin has quit IRC | 04:21 | |
| *** salv-orlando has quit IRC | 04:25 | |
| *** chyka has quit IRC | 04:26 | |
| *** gouthamr has quit IRC | 04:31 | |
| *** liverpooler has quit IRC | 04:36 | |
| *** dave-mcc_ has quit IRC | 04:42 | |
| *** threestrands has quit IRC | 05:10 | |
| *** threestrands has joined #openstack-security | 05:10 | |
| *** threestrands has quit IRC | 05:10 | |
| *** threestrands has joined #openstack-security | 05:10 | |
| *** threestrands has quit IRC | 05:12 | |
| *** threestrands has joined #openstack-security | 05:12 | |
| *** threestrands has quit IRC | 05:12 | |
| *** threestrands has joined #openstack-security | 05:12 | |
| *** salv-orlando has joined #openstack-security | 05:20 | |
| *** salv-orlando has quit IRC | 05:27 | |
| *** pcaruana has joined #openstack-security | 06:06 | |
| *** pcaruana has quit IRC | 06:06 | |
| *** salv-orlando has joined #openstack-security | 06:22 | |
| *** salv-orlando has quit IRC | 06:28 | |
| *** salv-orlando has joined #openstack-security | 06:49 | |
| *** salv-orlando has quit IRC | 06:50 | |
| *** salv-orlando has joined #openstack-security | 06:50 | |
| *** gagehugo has joined #openstack-security | 06:51 | |
| *** threestrands has quit IRC | 07:04 | |
| *** vds has joined #openstack-security | 07:14 | |
| *** spectr has joined #openstack-security | 07:18 | |
| *** spectr has quit IRC | 07:21 | |
| *** BR5C003Y_D00 has joined #openstack-security | 07:48 | |
| *** BR5C003Y_D00 has quit IRC | 07:51 | |
| *** AlexeyAbashkin has joined #openstack-security | 07:52 | |
| *** rcernin has quit IRC | 07:53 | |
| *** d0ugal has joined #openstack-security | 07:55 | |
| *** pcaruana has joined #openstack-security | 08:28 | |
| *** vds has quit IRC | 08:35 | |
| *** vds_ has joined #openstack-security | 08:35 | |
| *** AlexeyAbashkin has quit IRC | 08:48 | |
| *** AlexeyAbashkin has joined #openstack-security | 08:51 | |
| *** murphy_zhao has quit IRC | 09:17 | |
| *** vds_ has quit IRC | 09:26 | |
| *** salv-orlando has quit IRC | 09:33 | |
| *** salv-orlando has joined #openstack-security | 09:33 | |
| *** salv-orlando has quit IRC | 09:38 | |
| *** openstackgerrit has quit IRC | 09:48 | |
| *** rcernin has joined #openstack-security | 09:55 | |
| *** chyka has joined #openstack-security | 09:57 | |
| *** chyka has quit IRC | 10:02 | |
| *** vds_ has joined #openstack-security | 10:22 | |
| *** murphy_zhao has joined #openstack-security | 10:26 | |
| *** vds_ has quit IRC | 10:32 | |
| *** openstackgerrit has joined #openstack-security | 10:59 | |
| openstackgerrit | Merged openstack/bandit master: Migrate to zuul V3 https://review.openstack.org/522458 | 10:59 |
|---|---|---|
| *** salv-orlando has joined #openstack-security | 11:01 | |
| *** vds has joined #openstack-security | 11:02 | |
| *** liujiong has quit IRC | 11:07 | |
| *** salv-orlando has quit IRC | 11:07 | |
| *** salv-orlando has joined #openstack-security | 11:08 | |
| *** salv-orlando has quit IRC | 11:13 | |
| *** salv-orlando has joined #openstack-security | 11:14 | |
| *** vds has quit IRC | 11:17 | |
| *** chyka has joined #openstack-security | 11:47 | |
| *** chyka has quit IRC | 11:51 | |
| *** vds has joined #openstack-security | 12:02 | |
| *** d0ugal has quit IRC | 12:04 | |
| *** d0ugal has joined #openstack-security | 12:08 | |
| *** pgomes has joined #openstack-security | 12:13 | |
| *** dave-mccowan has joined #openstack-security | 13:06 | |
| *** liverpooler has joined #openstack-security | 13:06 | |
| *** edmondsw has joined #openstack-security | 13:22 | |
| *** salv-orlando has quit IRC | 13:57 | |
| *** pcaruana has quit IRC | 14:13 | |
| *** pcaruana has joined #openstack-security | 14:17 | |
| *** pgomes has left #openstack-security | 14:32 | |
| *** salv-orlando has joined #openstack-security | 14:51 | |
| *** salv-orl_ has joined #openstack-security | 14:56 | |
| *** salv-orlando has quit IRC | 14:59 | |
| *** d0ugal has quit IRC | 15:28 | |
| *** d0ugal has joined #openstack-security | 15:42 | |
| *** gouthamr has joined #openstack-security | 15:45 | |
| *** gagehugo has quit IRC | 16:05 | |
| *** gagehugo has joined #openstack-security | 16:26 | |
| *** salv-orlando has joined #openstack-security | 16:28 | |
| *** salv-orl_ has quit IRC | 16:31 | |
| *** salv-orlando has quit IRC | 16:42 | |
| *** salv-orlando has joined #openstack-security | 16:42 | |
| *** salv-orlando has quit IRC | 16:46 | |
| *** AlexeyAbashkin has quit IRC | 16:49 | |
| *** chyka has joined #openstack-security | 16:56 | |
| *** pcaruana has quit IRC | 17:53 | |
| *** aselius has joined #openstack-security | 18:09 | |
| *** liverpooler has quit IRC | 18:25 | |
| *** liverpooler has joined #openstack-security | 18:28 | |
| *** AlexeyAbashkin has joined #openstack-security | 18:35 | |
| *** AlexeyAbashkin has quit IRC | 18:40 | |
| *** AlexeyAbashkin has joined #openstack-security | 18:56 | |
| *** AlexeyAbashkin has quit IRC | 19:04 | |
| *** salv-orlando has joined #openstack-security | 19:17 | |
| *** ssathaye has quit IRC | 19:45 | |
| *** ssathaye has joined #openstack-security | 19:46 | |
| *** solus has quit IRC | 19:50 | |
| *** gouthamr_ has joined #openstack-security | 19:53 | |
| *** gouthamr has quit IRC | 19:56 | |
| *** pcaruana has joined #openstack-security | 20:21 | |
| *** edmondsw_ has joined #openstack-security | 20:52 | |
| *** edmondsw has quit IRC | 20:56 | |
| *** gouthamr_ is now known as gouthamr | 21:21 | |
| *** pcaruana has quit IRC | 21:21 | |
| *** edmondsw_ is now known as edmondsw | 21:27 | |
| *** rcernin has quit IRC | 21:33 | |
| *** liverpooler has quit IRC | 21:37 | |
| *** liverpooler has joined #openstack-security | 21:38 | |
| *** openstack has joined #openstack-security | 21:43 | |
| *** ChanServ sets mode: +o openstack | 21:43 | |
| *** rcernin has joined #openstack-security | 22:23 | |
| *** edmondsw has quit IRC | 22:36 | |
| *** edmondsw has joined #openstack-security | 22:39 | |
| dave-mccowan | mhayden ping | 22:40 |
| mhayden | howdy | 22:40 |
| dave-mccowan | mhayden: i have a quick question on file permissions in the security guide, if you have a sec. | 22:40 |
| dave-mccowan | some chapters say config files (cinder.conf) should have owner of root, group of cinder. | 22:41 |
| dave-mccowan | some chapters (keystone) say owner and group of keystone (not root). | 22:41 |
| mhayden | that's unusual | 22:41 |
| dave-mccowan | any thoughts on right/wrong/better? | 22:41 |
| mhayden | i'm trying to think of a situation where that's necessary | 22:41 |
| mhayden | well, i guess if you're setting something like 0640 on the files, that's better than allowing everyone to read | 22:42 |
| dave-mccowan | mhayden it seems slightly more secure (root to write a config file, service user can only read)... | 22:43 |
| mhayden | allowing nova to have group ownership of its own config files allows nova to read it but nobody else | 22:43 |
| mhayden | well, if /etc/nova/nova.conf is root:nova and 0640, then root can read/write, and nova can read | 22:43 |
| mhayden | nobody else can read it | 22:43 |
| mhayden | (or write) | 22:43 |
| *** edmondsw has quit IRC | 22:43 | |
| mhayden | if you made it root:root, then you'd have to open the permissions up to 0644 | 22:44 |
| mhayden | which allows anyone to read it | 22:44 |
| dave-mccowan | yep. that's the recommendation (root:nova 640). do you think that's better (or just different) than nova:nova 640 ? | 22:44 |
| mhayden | well nova should never have write access to its own config file | 22:45 |
| mhayden | only root | 22:45 |
| mhayden | and nova should be running as the nova user | 22:45 |
| mhayden | i just had to sit and think about the reasoning for a minute ;) | 22:46 |
| dave-mccowan | mhayden yep. it makes sense. the big question... if you had a system that did it the other way (nova:nova 640), would you patch it? :-) | 22:48 |
| mhayden | for sure ;) | 22:49 |
| mhayden | openstack-ansible ensures those permissions are set each time it runs | 22:49 |
| * mhayden just checked | 22:49 | |
| dave-mccowan | mhayden thanks! | 22:51 |
| *** lbragstad has quit IRC | 23:17 | |
| *** edmondsw has joined #openstack-security | 23:18 | |
| *** edmondsw has quit IRC | 23:23 | |
| *** lbragstad has joined #openstack-security | 23:24 | |
| *** salv-orl_ has joined #openstack-security | 23:37 | |
| *** salv-orlando has quit IRC | 23:40 | |
| *** lbragstad has quit IRC | 23:56 | |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!