)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":24072,"name":"Marcin Juszkiewicz","email":"mjuszkiewicz@redhat.com","username":"hrw"},"change_message_id":"c4eb1aba73641a97117692ca25bc8e1550475397","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Fix writable rootwrap/privsep config"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"More details in the attached reno."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a"},{"line_number":12,"context_line":"Closes-Bug: #1874298"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"2fa2cf53_4c0f3125","line":9,"updated":"2022-10-10 14:52:15.000000000","message":"This reno is not 5 pages of A4 text. Please include it in commit message.","commit_id":"aab9eb91aa1f01b4ef6c1d53217a6f071dd91a53"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"bc659336074817262ce13e7ecbba8c652200fe32","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Fix writable rootwrap/privsep config"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"More details in the attached reno."},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Change-Id: I92c81c77e6a16570a108cde8031f7977930fb02a"},{"line_number":12,"context_line":"Closes-Bug: #1874298"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":6,"id":"b98e491a_baa3a316","line":9,"in_reply_to":"2fa2cf53_4c0f3125","updated":"2022-10-10 15:06:27.000000000","message":"Done","commit_id":"aab9eb91aa1f01b4ef6c1d53217a6f071dd91a53"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":24072,"name":"Marcin Juszkiewicz","email":"mjuszkiewicz@redhat.com","username":"hrw"},"change_message_id":"37e3bdc8d9f9971a07e99543195513cc6a305652","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"ecf7ad18_c478dbcf","updated":"2022-04-04 16:04:11.000000000","message":"still testing?","commit_id":"9ba343a3423d8652fa05006f34d5b58e1bd745e8"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"bdae271b2dd3b0252d53fe16c19e6b5f5be6ea40","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"1366ea2d_c9c06278","in_reply_to":"ecf7ad18_c478dbcf","updated":"2022-04-04 19:17:21.000000000","message":"yes, this is relevant","commit_id":"9ba343a3423d8652fa05006f34d5b58e1bd745e8"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"1a65b5aac9b0c5121171609c77ce31714f5d4dc1","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":4,"id":"d4a14e01_37b2ec42","updated":"2022-08-29 18:14:48.000000000","message":"check experimental","commit_id":"4415116361690855556bab0d4f72c29421563066"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"a3d5fc7b5a877ca2da367081ba0cc07387c7b81b","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":6,"id":"5d33a1f8_961499d7","updated":"2022-10-10 07:43:50.000000000","message":"Thanks.","commit_id":"aab9eb91aa1f01b4ef6c1d53217a6f071dd91a53"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"bc659336074817262ce13e7ecbba8c652200fe32","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"309f433e_17ce35fe","updated":"2022-10-10 15:06:27.000000000","message":"Hah, Jens has already pointed this out on a different change.","commit_id":"2daf4331a648cc2df6982c1a6ec47a705e038255"},{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"f6d0ed7d6b0f9bb9522ac01316e81afe7190a8d8","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":7,"id":"13c493ed_d5242c34","in_reply_to":"309f433e_17ce35fe","updated":"2022-10-10 15:35:59.000000000","message":"Yes, I was willing to let one pass and complained only when I saw it the second time ;)","commit_id":"2daf4331a648cc2df6982c1a6ec47a705e038255"}],"docker/cinder/cinder-base/Dockerfile.j2":[{"author":{"_account_id":14826,"name":"Mark Goddard","email":"markgoddard86@gmail.com","username":"mgoddard"},"change_message_id":"438f6072b0584109634f2ab058b42699deaff849","unresolved":false,"context_lines":[{"line_number":65,"context_line":"    \u0026\u0026 {{ macros.install_pip(cinder_base_pip_packages | customizable(\"pip_packages\")) }} \\"},{"line_number":66,"context_line":"    \u0026\u0026 mkdir -p /etc/cinder \\"},{"line_number":67,"context_line":"    \u0026\u0026 cp -r /cinder/etc/cinder/* /etc/cinder/ \\"},{"line_number":68,"context_line":"    \u0026\u0026 chown -R cinder: /etc/cinder \\"},{"line_number":69,"context_line":"    \u0026\u0026 sed -i \u0027s|^exec_dirs.*|exec_dirs\u003d/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g\u0027 /etc/cinder/rootwrap.conf"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"1f493fa4_79b6d5fc","side":"PARENT","line":68,"updated":"2020-04-23 20:07:38.000000000","message":"I think the security guide recommends using root:cinder 0640.","commit_id":"d318e5c1a193914ee90eab1c9a762d61d1b07acb"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"0052e20b0df8dfc8c91fab5d0427ac55c8c30b18","unresolved":false,"context_lines":[{"line_number":65,"context_line":"    \u0026\u0026 {{ macros.install_pip(cinder_base_pip_packages | customizable(\"pip_packages\")) }} \\"},{"line_number":66,"context_line":"    \u0026\u0026 mkdir -p /etc/cinder \\"},{"line_number":67,"context_line":"    \u0026\u0026 cp -r /cinder/etc/cinder/* /etc/cinder/ \\"},{"line_number":68,"context_line":"    \u0026\u0026 chown -R cinder: /etc/cinder \\"},{"line_number":69,"context_line":"    \u0026\u0026 sed -i \u0027s|^exec_dirs.*|exec_dirs\u003d/var/lib/kolla/venv/bin,/sbin,/usr/sbin,/bin,/usr/bin,/usr/local/bin,/usr/local/sbin|g\u0027 /etc/cinder/rootwrap.conf"},{"line_number":70,"context_line":""},{"line_number":71,"context_line":"{% endif %}"}],"source_content_type":"text/x-jinja2","patch_set":2,"id":"1f493fa4_181d0266","side":"PARENT","line":68,"in_reply_to":"1f493fa4_79b6d5fc","updated":"2020-04-24 07:15:36.000000000","message":"Good point (obviously 0750 for directories). Example: https://docs.openstack.org/security-guide/compute/checklist.html\n\nAlso some old SCAP profile looks relevant: https://static.open-scap.org/ssg-guides/ssg-rhosp10-guide-index.html\n\nIdeally, we would sync this with binary. Enterprise packaging should do it correctly.","commit_id":"d318e5c1a193914ee90eab1c9a762d61d1b07acb"}],"releasenotes/notes/bug-1874298-35b7ccffe327f7e4.yaml":[{"author":{"_account_id":13252,"name":"Dr. Jens Harbott","display_name":"Jens Harbott (frickler)","email":"frickler@offenerstapel.de","username":"jrosenboom"},"change_message_id":"f4761069cda587e6025f4648ab312ea03000e092","unresolved":true,"context_lines":[{"line_number":7,"context_line":"    to be run with root privileges via rootwrap/privsep. For a succesful"},{"line_number":8,"context_line":"    attack, this would also require the service to allow to run arbitrary"},{"line_number":9,"context_line":"    commands via rootwrap/privsep. Thus far, no such vulnerabilities have"},{"line_number":10,"context_line":"    been reported and thus this fix is simply strengthening the cointainers"},{"line_number":11,"context_line":"    against such an issue in the future."},{"line_number":12,"context_line":"    `LP#1874298 \u003chttps://launchpad.net/bugs/1874298\u003e`__"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"819c7048_d61df32d","line":10,"range":{"start_line":10,"start_character":64,"end_line":10,"end_character":75},"updated":"2022-10-10 07:32:11.000000000","message":"containers","commit_id":"94b1418979a269abe537d9562713825b7800b0d9"},{"author":{"_account_id":30491,"name":"Radosław Piliszek","display_name":"Radek","email":"radek@piliszek.it","username":"yoctozepto","status":"self-employed techologist, collaborating mostly with 7bulls.com"},"change_message_id":"a3d5fc7b5a877ca2da367081ba0cc07387c7b81b","unresolved":false,"context_lines":[{"line_number":7,"context_line":"    to be run with root privileges via rootwrap/privsep. For a succesful"},{"line_number":8,"context_line":"    attack, this would also require the service to allow to run arbitrary"},{"line_number":9,"context_line":"    commands via rootwrap/privsep. Thus far, no such vulnerabilities have"},{"line_number":10,"context_line":"    been reported and thus this fix is simply strengthening the cointainers"},{"line_number":11,"context_line":"    against such an issue in the future."},{"line_number":12,"context_line":"    `LP#1874298 \u003chttps://launchpad.net/bugs/1874298\u003e`__"}],"source_content_type":"text/x-yaml","patch_set":5,"id":"b50ba587_a99bdebd","line":10,"range":{"start_line":10,"start_character":64,"end_line":10,"end_character":75},"in_reply_to":"819c7048_d61df32d","updated":"2022-10-10 07:43:50.000000000","message":"Done","commit_id":"94b1418979a269abe537d9562713825b7800b0d9"}]}