Bug 893100

Summary: (CVE-2013-0326) OpenStack nova: _base images permissions should not be world readable [openstack-2.1]
Product: Red Hat OpenStack Reporter: Nir Magnezi <nmagnezi>
Component: openstack-novaAssignee: Xavier Queralt <xqueralt>
Status: CLOSED DUPLICATE QA Contact: Nir Magnezi <nmagnezi>
Severity: medium Docs Contact:
Priority: medium    
Version: 2.0 (Folsom)CC: abaron, apevec, cpelland, dallan, jkt, kseifried, markmc, ndipanov, rbryant, sclewis
Target Milestone: ---Keywords: Security, SecurityTracking, Triaged
Target Release: 4.0   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-08-09 00:28:28 EDT Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 913377    

Description Nir Magnezi 2013-01-08 10:22:19 EST
Description of problem:
=======================
nova _base images permissions shouldn are world readable.
I'd expect more strict

Version-Release number of selected component (if applicable):
=============================================================
Folsom.

How reproducible:
=================
100%

Steps to Reproduce:
===================
1. Run few instances and check the files created at /var/lib/nova/instances/_base
2.
3.
  
Actual results:
===============
nova _base images permissions are world readable.

-rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part
-rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04
-rw-r--r--. 1 qemu qemu  20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20
-rw-r--r--. 1 qemu qemu  40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40
-rw-r--r--. 1 nova nova  20G Dec 31 15:56 ephemeral_0_20_None
-rw-r--r--. 1 qemu qemu  20G Dec 31 15:57 ephemeral_0_20_None_20
-rw-r--r--. 1 qemu qemu 160G Jan  1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160
-rw-r--r--. 1 nova nova 241M Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part
-rw-r--r--. 1 nova nova 9.8G Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557
-rw-r--r--. 1 nova nova    0 Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20
-rw-r--r--. 1 nova nova 241M Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part
-rw-r--r--. 1 nova nova 9.8G Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644
-rw-r--r--. 1 qemu qemu  20G Jan  6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20

Expected results:
=================
nova _base images should be more strict
Comment 3 David Ripton 2013-02-18 20:20:15 EST
I proposed this patch upstream at https://review.openstack.org/#/c/22278/

If it gets in, great.  If it does not, we can patch downstream.
Comment 4 David Ripton 2013-02-18 22:51:20 EST
This is upstream bug https://bugs.launchpad.net/nova/+bug/1129748

It may be marked private for now, but it'll probably be made public soon, since this Bugzilla bug is public, as is my review above.
Comment 7 David Ripton 2013-03-04 11:25:06 EST
The upstream patch has been held up because it's failing tests in the devstack-gate.  That's because devstack-gate is running as the stack user, and /opt/stack/data is owned by root.  That's a problem in devstack, which is https://review.openstack.org/#/c/23298/
Comment 13 David Ripton 2013-07-02 09:43:45 EDT
*** Bug 972912 has been marked as a duplicate of this bug. ***
Comment 14 Dave Allan 2013-07-02 12:52:23 EDT
*** Bug 972912 has been marked as a duplicate of this bug. ***
Comment 15 Xavier Queralt 2013-07-10 06:03:49 EDT
I've updated the upstream bug (https://bugs.launchpad.net/nova/+bug/1129748) with my thoughts about the issue.

In short, the qemu instance runs as user qemu who after the permissions change with dripton's patch cannot access the instances directory.

The solution I propose is to change the ownership and permissions of the instances directory from the nova package so that only qemu and nova users can access it.
Comment 16 Kurt Seifried 2013-08-09 00:28:28 EDT

*** This bug has been marked as a duplicate of bug 980590 ***