diff options
author | Yuriy Taraday <yorik.sar@gmail.com> | 2016-02-26 13:21:14 +0000 |
---|---|---|
committer | Yuriy Taraday <yorik.sar@gmail.com> | 2016-02-26 16:36:17 +0300 |
commit | 499d5aa36d352cf3bfc163cd90e445acc4dd2a16 (patch) | |
tree | 41d5383848233c67a03916c02d4de02dc5e1e352 /oslo_concurrency | |
parent | 5021ef82fd8f0323b82d6d010bff9dab8a0cbcec (diff) | |
download | oslo-concurrency-499d5aa36d352cf3bfc163cd90e445acc4dd2a16.tar.gz |
Revert "Use tempfile.tempdir for lock_path if OSLO_LOCK_PATH is not set"
This reverts commit 5021ef82fd8f0323b82d6d010bff9dab8a0cbcec.
That commit set default location for lock files to a world-writable
directory (like /tmp) which violates security precaution stated right in
the help string of lock_path config variable: lock_path should be
writable by the user of the process using it only.
There is some history behind this:
- when we decided to not do tempfile.mkdtemp if lock_path were not set
(because it was broken), it broke upgrades for all components
(starting with Cinder;
- it was suggested to provide the same default value:
https://review.openstack.org/60274
but it was not accepted because it weakens security;
- there was a thread about this in ML, please read it for more history:
http://lists.openstack.org/pipermail/openstack-dev/2013-December/021055.html
it ended up with understanding that only a project using the library
can provide sane default value for lock_path, not the library itself.
Change-Id: I801004ad3c83862849696f00c6e7ca9877fd496b
Diffstat (limited to 'oslo_concurrency')
-rw-r--r-- | oslo_concurrency/lockutils.py | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/oslo_concurrency/lockutils.py b/oslo_concurrency/lockutils.py index 227af59..2e61ff3 100644 --- a/oslo_concurrency/lockutils.py +++ b/oslo_concurrency/lockutils.py @@ -41,14 +41,11 @@ _opts = [ help='Enables or disables inter-process locks.', deprecated_group='DEFAULT'), cfg.StrOpt('lock_path', - default=os.environ.get("OSLO_LOCK_PATH", tempfile.gettempdir()), + default=os.environ.get("OSLO_LOCK_PATH"), help='Directory to use for lock files. For security, the ' 'specified directory should only be writable by the user ' 'running the processes that need locking. ' 'Defaults to environment variable OSLO_LOCK_PATH. ' - 'If OSLO_LOCK_PATH is not set in the environment, use the ' - 'Python tempfile.gettempdir function to find a suitable ' - 'location. ' 'If external locks are used, a lock path must be set.', deprecated_group='DEFAULT') ] |