)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"182e4a550f3f1596c1d544ce3d13e343f4aaaecc","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"605f4027_d56a9da3","updated":"2022-09-05 09:29:38.000000000","message":"I love the idea, but there\u0027s an open question.","commit_id":"e56ae3542ed6d52f2bf0107b175a4ec1aaa252cb"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"ca6444c3af5588ea62b4a56278716c30d42e5dde","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"b91ba539_d28e0c77","updated":"2022-09-07 08:18:06.000000000","message":"Removing vote - maybe we can even drop the chmod?","commit_id":"c2426197e3acff9041efb5bca58995cd5fdba2f1"}],"container-images/tcib/base/os/ironic-base/ironic-api/ironic-api.yaml":[{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"182e4a550f3f1596c1d544ce3d13e343f4aaaecc","unresolved":true,"context_lines":[{"line_number":1,"context_line":"tcib_actions:"},{"line_number":2,"context_line":"- run: dnf -y install {{ tcib_packages[\u0027common\u0027] | join(\u0027 \u0027) }} \u0026\u0026 dnf clean all \u0026\u0026 rm -rf /var/cache/dnf"},{"line_number":3,"context_line":"- run: mkdir -p /var/www/cgi-bin/ironic \u0026\u0026 chown -R ironic /var/www/cgi-bin/ironic"},{"line_number":4,"context_line":"- run: cp -a /usr/bin/ironic-api-wsgi /var/www/cgi-bin/ironic/app"},{"line_number":5,"context_line":"- run: sed -i -r \u0027s,^(Listen 80),#\\1,\u0027 /etc/httpd/conf/httpd.conf  \u0026\u0026 sed -i -r \u0027s,^(Listen 443),#\\1,\u0027 /etc/httpd/conf.d/ssl.conf"},{"line_number":6,"context_line":"- run: ln -s /usr/share/openstack-tripleo-common/healthcheck/ironic-api /openstack/healthcheck \u0026\u0026 chmod a+rx /openstack/healthcheck"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"b28c1ef3_bf6ed79a","line":3,"updated":"2022-09-05 09:29:38.000000000","message":"I\u0027m wondering if we shouldn\u0027t chown -R *after* the cp -a ? Isn\u0027t the \"app\" supposed to belong to ironic as well?\nThat\u0027s what is done here actually:\nhttps://github.com/openstack/puppet-openstacklib/blob/master/manifests/wsgi/apache.pp#L294-L301","commit_id":"e56ae3542ed6d52f2bf0107b175a4ec1aaa252cb"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"ca6444c3af5588ea62b4a56278716c30d42e5dde","unresolved":true,"context_lines":[{"line_number":1,"context_line":"tcib_actions:"},{"line_number":2,"context_line":"- run: dnf -y install {{ tcib_packages[\u0027common\u0027] | join(\u0027 \u0027) }} \u0026\u0026 dnf clean all \u0026\u0026 rm -rf /var/cache/dnf"},{"line_number":3,"context_line":"- run: mkdir -p /var/www/cgi-bin/ironic \u0026\u0026 chown -R ironic /var/www/cgi-bin/ironic"},{"line_number":4,"context_line":"- run: cp -a /usr/bin/ironic-api-wsgi /var/www/cgi-bin/ironic/app"},{"line_number":5,"context_line":"- run: sed -i -r \u0027s,^(Listen 80),#\\1,\u0027 /etc/httpd/conf/httpd.conf  \u0026\u0026 sed -i -r \u0027s,^(Listen 443),#\\1,\u0027 /etc/httpd/conf.d/ssl.conf"},{"line_number":6,"context_line":"- run: ln -s /usr/share/openstack-tripleo-common/healthcheck/ironic-api /openstack/healthcheck \u0026\u0026 chmod a+rx /openstack/healthcheck"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"b27f42f1_24da4978","line":3,"in_reply_to":"31baf336_2bd03fdc","updated":"2022-09-07 08:18:06.000000000","message":"hmmm ok. Makes sense - though a directory owned by the user may lead to the exact same issue in the end. Is there an actual need to make that directory owned by ironic?","commit_id":"e56ae3542ed6d52f2bf0107b175a4ec1aaa252cb"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"e7275f366090c146471091c8a267a84d591c2e74","unresolved":true,"context_lines":[{"line_number":1,"context_line":"tcib_actions:"},{"line_number":2,"context_line":"- run: dnf -y install {{ tcib_packages[\u0027common\u0027] | join(\u0027 \u0027) }} \u0026\u0026 dnf clean all \u0026\u0026 rm -rf /var/cache/dnf"},{"line_number":3,"context_line":"- run: mkdir -p /var/www/cgi-bin/ironic \u0026\u0026 chown -R ironic /var/www/cgi-bin/ironic"},{"line_number":4,"context_line":"- run: cp -a /usr/bin/ironic-api-wsgi /var/www/cgi-bin/ironic/app"},{"line_number":5,"context_line":"- run: sed -i -r \u0027s,^(Listen 80),#\\1,\u0027 /etc/httpd/conf/httpd.conf  \u0026\u0026 sed -i -r \u0027s,^(Listen 443),#\\1,\u0027 /etc/httpd/conf.d/ssl.conf"},{"line_number":6,"context_line":"- run: ln -s /usr/share/openstack-tripleo-common/healthcheck/ironic-api /openstack/healthcheck \u0026\u0026 chmod a+rx /openstack/healthcheck"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"31baf336_2bd03fdc","line":3,"in_reply_to":"386002fc_ff3d5eb6","updated":"2022-09-07 03:47:41.000000000","message":"I\u0027d actually consider /var/www/cgi-bin/ironic/app being owned by the ironic user a security risk, if the attacker can get ironic (running as user ironic) to write to /var/www/cgi-bin/ironic/app then they can get arbitrary code executed. Code should only be writable by root.","commit_id":"e56ae3542ed6d52f2bf0107b175a4ec1aaa252cb"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"8d4acd08d01a93ced908a13f70003d11ec574f39","unresolved":true,"context_lines":[{"line_number":1,"context_line":"tcib_actions:"},{"line_number":2,"context_line":"- run: dnf -y install {{ tcib_packages[\u0027common\u0027] | join(\u0027 \u0027) }} \u0026\u0026 dnf clean all \u0026\u0026 rm -rf /var/cache/dnf"},{"line_number":3,"context_line":"- run: mkdir -p /var/www/cgi-bin/ironic \u0026\u0026 chown -R ironic /var/www/cgi-bin/ironic"},{"line_number":4,"context_line":"- run: cp -a /usr/bin/ironic-api-wsgi /var/www/cgi-bin/ironic/app"},{"line_number":5,"context_line":"- run: sed -i -r \u0027s,^(Listen 80),#\\1,\u0027 /etc/httpd/conf/httpd.conf  \u0026\u0026 sed -i -r \u0027s,^(Listen 443),#\\1,\u0027 /etc/httpd/conf.d/ssl.conf"},{"line_number":6,"context_line":"- run: ln -s /usr/share/openstack-tripleo-common/healthcheck/ironic-api /openstack/healthcheck \u0026\u0026 chmod a+rx /openstack/healthcheck"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"c1bb02aa_24426998","line":3,"in_reply_to":"b27f42f1_24da4978","updated":"2022-09-11 21:23:53.000000000","message":"Agreed, I\u0027ll remove the chown","commit_id":"e56ae3542ed6d52f2bf0107b175a4ec1aaa252cb"},{"author":{"_account_id":28223,"name":"Cedric Jeanneret","display_name":"cjeanner (Tengu)","email":"cjeanner@redhat.com","username":"cjeanner"},"change_message_id":"e8799480c9ea6fcf82e1fbe48b3d539ba157e64f","unresolved":true,"context_lines":[{"line_number":1,"context_line":"tcib_actions:"},{"line_number":2,"context_line":"- run: dnf -y install {{ tcib_packages[\u0027common\u0027] | join(\u0027 \u0027) }} \u0026\u0026 dnf clean all \u0026\u0026 rm -rf /var/cache/dnf"},{"line_number":3,"context_line":"- run: mkdir -p /var/www/cgi-bin/ironic \u0026\u0026 chown -R ironic /var/www/cgi-bin/ironic"},{"line_number":4,"context_line":"- run: cp -a /usr/bin/ironic-api-wsgi /var/www/cgi-bin/ironic/app"},{"line_number":5,"context_line":"- run: sed -i -r \u0027s,^(Listen 80),#\\1,\u0027 /etc/httpd/conf/httpd.conf  \u0026\u0026 sed -i -r \u0027s,^(Listen 443),#\\1,\u0027 /etc/httpd/conf.d/ssl.conf"},{"line_number":6,"context_line":"- run: ln -s /usr/share/openstack-tripleo-common/healthcheck/ironic-api /openstack/healthcheck \u0026\u0026 chmod a+rx /openstack/healthcheck"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"386002fc_ff3d5eb6","line":3,"in_reply_to":"b28c1ef3_bf6ed79a","updated":"2022-09-05 09:33:39.000000000","message":"Sorry, correct block is here:\nhttps://github.com/openstack/puppet-openstacklib/blob/master/manifests/wsgi/apache.pp#L303-L311\n\nThat\u0027s the one actually copying the app.","commit_id":"e56ae3542ed6d52f2bf0107b175a4ec1aaa252cb"},{"author":{"_account_id":4571,"name":"Steve Baker","email":"sbaker@redhat.com","username":"steve-stevebaker"},"change_message_id":"8661df5264cd0edce81ac8538cc2f571fc9ca8e7","unresolved":false,"context_lines":[{"line_number":1,"context_line":"tcib_actions:"},{"line_number":2,"context_line":"- run: dnf -y install {{ tcib_packages[\u0027common\u0027] | join(\u0027 \u0027) }} \u0026\u0026 dnf clean all \u0026\u0026 rm -rf /var/cache/dnf"},{"line_number":3,"context_line":"- run: mkdir -p /var/www/cgi-bin/ironic \u0026\u0026 chown -R ironic /var/www/cgi-bin/ironic"},{"line_number":4,"context_line":"- run: cp -a /usr/bin/ironic-api-wsgi /var/www/cgi-bin/ironic/app"},{"line_number":5,"context_line":"- run: sed -i -r \u0027s,^(Listen 80),#\\1,\u0027 /etc/httpd/conf/httpd.conf  \u0026\u0026 sed -i -r \u0027s,^(Listen 443),#\\1,\u0027 /etc/httpd/conf.d/ssl.conf"},{"line_number":6,"context_line":"- run: ln -s /usr/share/openstack-tripleo-common/healthcheck/ironic-api /openstack/healthcheck \u0026\u0026 chmod a+rx /openstack/healthcheck"}],"source_content_type":"text/x-yaml","patch_set":1,"id":"0e1f9658_41e511f2","line":3,"in_reply_to":"c1bb02aa_24426998","updated":"2022-09-11 21:30:01.000000000","message":"Done","commit_id":"e56ae3542ed6d52f2bf0107b175a4ec1aaa252cb"}]}