From e0bb21ef0bc8f2e78a02892e8ad9d69e9bf5aa1e Mon Sep 17 00:00:00 2001
From: Travis Truman <travis_truman@cable.comcast.com>
Date: Sun, 6 Mar 2016 14:59:32 -0500
Subject: [PATCH] Rootwrap configuration should be owned by root

See https://wiki.openstack.org/wiki/Rootwrap#Security_model
for details.

Change-Id: I5b4354f6cc834bae2ba8962b5a283831d7ff9e4f
---
 tasks/nova_post_install.yml | 14 ++++++++------
 tasks/nova_pre_install.yml  |  4 ++--
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/tasks/nova_post_install.yml b/tasks/nova_post_install.yml
index 37ef3d87..3dd3c94a 100644
--- a/tasks/nova_post_install.yml
+++ b/tasks/nova_post_install.yml
@@ -13,12 +13,12 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-- name: Copy nova config
+- name: Generate nova config
   config_template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ nova_system_user_name }}"
-    group: "{{ nova_system_group_name }}"
+    owner: "{{ item.owner|default(nova_system_user_name) }}"
+    group: "{{ item.group|default(nova_system_group_name) }}"
     mode: "0644"
     config_overrides: "{{ item.config_overrides }}"
     config_type: "{{ item.config_type }}"
@@ -29,6 +29,8 @@
       config_type: "ini"
     - src: "rootwrap.conf.j2"
       dest: "/etc/nova/rootwrap.conf"
+      owner: "root"
+      group: "root"
       config_overrides: "{{ nova_rootwrap_conf_overrides }}"
       config_type: "ini"
     - src: "api-paste.ini.j2"
@@ -44,12 +46,12 @@
     - nova-config
     - nova-post-install
 
-- name: Generate nova config
+- name: Copy nova rootwrap filter config
   copy:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
-    owner: "{{ nova_system_user_name }}"
-    group: "{{ nova_system_group_name }}"
+    owner: "root"
+    group: "root"
   with_items:
     - { src: "rootwrap.d/api-metadata.filters", dest: "/etc/nova/rootwrap.d/api-metadata.filters" }
     - { src: "rootwrap.d/baremetal-compute-ipmi.filters", dest: "/etc/nova/rootwrap.d/baremetal-compute-ipmi.filters" }
diff --git a/tasks/nova_pre_install.yml b/tasks/nova_pre_install.yml
index 8f66a0da..e39babb2 100644
--- a/tasks/nova_pre_install.yml
+++ b/tasks/nova_pre_install.yml
@@ -57,9 +57,9 @@
     group: "{{ item.group|default(nova_system_group_name) }}"
     mode: "{{ item.mode|default('0755') }}"
   with_items:
-    - { path: "/openstack", mode: "0755", owner: "root", group: "root" }
+    - { path: "/openstack", owner: "root", group: "root" }
     - { path: "/etc/nova" }
-    - { path: "/etc/nova/rootwrap.d" }
+    - { path: "/etc/nova/rootwrap.d", owner: "root", group: "root" }
     - { path: "/etc/sudoers.d", mode: "0750", owner: "root", group: "root" }
     - { path: "/var/cache/nova" }
     - { path: "{{ nova_system_home_folder }}" }