Bug 893100
Summary: | (CVE-2013-0326) OpenStack nova: _base images permissions should not be world readable [openstack-2.1] | ||
---|---|---|---|
Product: | Red Hat OpenStack | Reporter: | Nir Magnezi <nmagnezi> |
Component: | openstack-nova | Assignee: | Xavier Queralt <xqueralt> |
Status: | CLOSED DUPLICATE | QA Contact: | Nir Magnezi <nmagnezi> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 2.0 (Folsom) | CC: | abaron, apevec, cpelland, dallan, jkt, kseifried, markmc, ndipanov, sclewis |
Target Milestone: | --- | Keywords: | Security, SecurityTracking, Triaged |
Target Release: | 4.0 | ||
Hardware: | Unspecified | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Release Note | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-08-09 04:28:28 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 913377 |
Description
Nir Magnezi
2013-01-08 15:22:19 UTC
I proposed this patch upstream at https://review.openstack.org/#/c/22278/ If it gets in, great. If it does not, we can patch downstream. This is upstream bug https://bugs.launchpad.net/nova/+bug/1129748 It may be marked private for now, but it'll probably be made public soon, since this Bugzilla bug is public, as is my review above. The upstream patch has been held up because it's failing tests in the devstack-gate. That's because devstack-gate is running as the stack user, and /opt/stack/data is owned by root. That's a problem in devstack, which is https://review.openstack.org/#/c/23298/ *** Bug 972912 has been marked as a duplicate of this bug. *** *** Bug 972912 has been marked as a duplicate of this bug. *** I've updated the upstream bug (https://bugs.launchpad.net/nova/+bug/1129748) with my thoughts about the issue. In short, the qemu instance runs as user qemu who after the permissions change with dripton's patch cannot access the instances directory. The solution I propose is to change the ownership and permissions of the instances directory from the nova package so that only qemu and nova users can access it. *** This bug has been marked as a duplicate of bug 980590 *** |