Bug 1034247

Summary: Cloud-Init: meta_data.json and user_data files on config-drive are world-readable
Product: Red Hat Enterprise Virtualization Manager Reporter: Pavel Novotny <pnovotny>
Component: ovirt-engineAssignee: Francesco Romani <fromani>
Status: CLOSED CURRENTRELEASE QA Contact: Pavel Novotny <pnovotny>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: acathrow, iheim, lpeer, mavital, michal.skrivanek, Rhev-m-bugs, sherold, s.kieske, yeylon
Target Milestone: ---   
Target Release: 3.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: virt
Fixed In Version: ovirt-3.4.0-alpha1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1078909, 1142926    

Description Pavel Novotny 2013-11-25 13:35:21 UTC
Description of problem:
When using Cloud-Init (via Run Once) for VM bootstrapping, the `user_data` and `meta_data.json` files on the config-drive have world readable permissions. Since they contain sensitive informations such as root password or SSH auth. key, they should not be readable for everyone.


Version-Release number of selected component (if applicable):
rhevm-3.3.0-0.35.beta1.el6ev.noarch (is24)

How reproducible:
100%

Steps to Reproduce:
1. In Webadmin, have a VM and run it via Run Once with some values in Initial Run/Cloud-Init section.
2. On the host the VM is running, search the qemu process for the attached config-drive CD-ROM image (ps aux | grep [q]emu | grep cdrom). 
It looks like: 
-drive file=/var/run/vdsm/payload/d80627d0-04f4-48d5-9335-753354c2cc29.8
1b3df31f8697cbeb6accd60218166b7.img,if=none,media=cdrom,id=drive-ide0-1-1,readonly=on,format=raw,serial=

3. Mount the image and check permissions of the meta data and user data files:
# mount -t iso9660 -o loop /var/run/vdsm/payload/<config-drive>.img /mnt/cloud-init/
# ls -l /mnt/cloud-init/openstack/latest/

Actual results:
-r--r--r--. 1 root root 695 21. lis 17.33 meta_data.json
-r--r--r--. 1 root root 291 21. lis 17.33 user_data

Expected results:
The files should be readable only for root user, not for everyone.

Additional info:

Comment 1 Michal Skrivanek 2013-11-26 09:59:12 UTC
this is exposed in the VM as a CDROM so you need permissions for that so not a big deal. 
Fixing this would require extending the payload feature with user/group and permissions

Comment 2 Michal Skrivanek 2013-12-02 15:10:35 UTC
maybe just by default create a non world-readable files...

Comment 3 Pavel Novotny 2014-02-18 12:36:37 UTC
Verified upstream in ovirt-engine-3.4.0-0.7.beta2.el6.noarch.

Followed reproducer in comment 0 for verification.
Results:
The files on the attached config-drive are no longer world-readable:

# mount -t iso9660 -o loop /var/run/vdsm/payload/11b2841c-03bd-43d8-8d43-4ece2392fee8.62b0aaef2741993fc8bc89d3c3bc4f58.img /mnt/cloud-init/
# ls -l /mnt/cloud-init/openstack/latest/
-rw-r-----. 1 root root 252 Feb 18 11:59 meta_data.json
-rw-r-----. 1 root root 222 Feb 18 11:59 user_data

Comment 5 Itamar Heim 2014-06-12 14:08:37 UTC
Closing as part of 3.4.0