Low severityNVD Advisory· Published Jun 16, 2015· Updated May 6, 2026
CVE-2015-3010
CVE-2015-3010
Description
ceph-deploy before 1.5.23 uses weak permissions (644) for ceph/ceph.client.admin.keyring, which allows local users to obtain sensitive information by reading the file.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ceph-deployPyPI | < 1.5.23 | 1.5.23 |
Affected products
1- cpe:2.3:a:ceph:ceph-deploy:1.5.22:*:*:*:*:*:*:*
Patches
1eee56770393bMerge pull request #272 from trhoden/wip_key_perms
2 files changed · +52 −46
ceph_deploy/gatherkeys.py+39 −36 modified@@ -30,51 +30,54 @@ def fetch_file(args, frompath, topath, _hosts): def gatherkeys(args): - # client.admin - keyring = '/etc/ceph/{cluster}.client.admin.keyring'.format( - cluster=args.cluster) - r = fetch_file( - args=args, - frompath=keyring, - topath='{cluster}.client.admin.keyring'.format( - cluster=args.cluster), - _hosts=args.mon, - ) - if not r: - raise exc.KeyNotFoundError(keyring, args.mon) - - # mon. - keyring = '/var/lib/ceph/mon/{cluster}-{{hostname}}/keyring'.format( - cluster=args.cluster) - r = fetch_file( - args=args, - frompath=keyring, - topath='{cluster}.mon.keyring'.format(cluster=args.cluster), - _hosts=args.mon, - ) - if not r: - raise exc.KeyNotFoundError(keyring, args.mon) + oldmask = os.umask(077) + try: + # client.admin + keyring = '/etc/ceph/{cluster}.client.admin.keyring'.format( + cluster=args.cluster) + r = fetch_file( + args=args, + frompath=keyring, + topath='{cluster}.client.admin.keyring'.format( + cluster=args.cluster), + _hosts=args.mon, + ) + if not r: + raise exc.KeyNotFoundError(keyring, args.mon) - # bootstrap - for what in ['osd', 'mds', 'rgw']: - keyring = '/var/lib/ceph/bootstrap-{what}/{cluster}.keyring'.format( - what=what, + # mon. + keyring = '/var/lib/ceph/mon/{cluster}-{{hostname}}/keyring'.format( cluster=args.cluster) r = fetch_file( args=args, frompath=keyring, - topath='{cluster}.bootstrap-{what}.keyring'.format( - cluster=args.cluster, - what=what), + topath='{cluster}.mon.keyring'.format(cluster=args.cluster), _hosts=args.mon, ) if not r: - if what in ['osd', 'mds']: - raise exc.KeyNotFoundError(keyring, args.mon) - else: - LOG.warning(("No RGW bootstrap key found. Will not be able to " - "deploy RGW daemons")) + raise exc.KeyNotFoundError(keyring, args.mon) + # bootstrap + for what in ['osd', 'mds', 'rgw']: + keyring = '/var/lib/ceph/bootstrap-{what}/{cluster}.keyring'.format( + what=what, + cluster=args.cluster) + r = fetch_file( + args=args, + frompath=keyring, + topath='{cluster}.bootstrap-{what}.keyring'.format( + cluster=args.cluster, + what=what), + _hosts=args.mon, + ) + if not r: + if what in ['osd', 'mds']: + raise exc.KeyNotFoundError(keyring, args.mon) + else: + LOG.warning(("No RGW bootstrap key found. Will not be able to " + "deploy RGW daemons")) + finally: + os.umask(oldmask) @priority(40) def make(parser):
ceph_deploy/new.py+13 −10 modified@@ -211,18 +211,21 @@ def new_mon_keyring(args): keypath = '{name}.mon.keyring'.format( name=args.cluster, ) - + oldmask = os.umask(077) LOG.debug('Writing monitor keyring to %s...', keypath) - tmp = '%s.tmp' % keypath - with file(tmp, 'w') as f: - f.write(mon_keyring) try: - os.rename(tmp, keypath) - except OSError as e: - if e.errno == errno.EEXIST: - raise exc.ClusterExistsError(keypath) - else: - raise + tmp = '%s.tmp' % keypath + with open(tmp, 'w', 0600) as f: + f.write(mon_keyring) + try: + os.rename(tmp, keypath) + except OSError as e: + if e.errno == errno.EEXIST: + raise exc.ClusterExistsError(keypath) + else: + raise + finally: + os.umask(oldmask) @priority(10)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
13- github.com/advisories/GHSA-9w4f-3v37-6f75ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-3010ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-April/155576.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-April/155631.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-1092.htmlnvdWEB
- www.openwall.com/lists/oss-security/2015/04/09/11nvdWEB
- www.openwall.com/lists/oss-security/2015/04/09/9nvdWEB
- www.securityfocus.com/bid/74043nvdWEB
- bugzilla.suse.com/show_bug.cginvdWEB
- github.com/ceph/ceph-deploy/commit/eee56770393bf19ed2dd5389226c6190c08dee3fnvdWEB
- github.com/ceph/ceph-deploy/pull/272nvdWEB
- github.com/pypa/advisory-database/tree/main/vulns/ceph-deploy/PYSEC-2015-2.yamlghsaWEB
- web.archive.org/web/20200228233028/http://www.securityfocus.com/bid/74043ghsaWEB
News mentions
0No linked articles in our index yet.