Nir Magnezi of Red Hat reports:
Description of problem:
=======================
nova _base images permissions shouldn are world readable.
I'd expect more strict
Version-Release number of selected component (if applicable):
=============================================================
Folsom.
How reproducible:
=================
100%
Steps to Reproduce:
===================
1. Run few instances and check the files created at /var/lib/nova/instances/_base
2.
3.
Actual results:
===============
nova _base images permissions are world readable.
-rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part
-rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04
-rw-r--r--. 1 qemu qemu 20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20
-rw-r--r--. 1 qemu qemu 40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40
-rw-r--r--. 1 nova nova 20G Dec 31 15:56 ephemeral_0_20_None
-rw-r--r--. 1 qemu qemu 20G Dec 31 15:57 ephemeral_0_20_None_20
-rw-r--r--. 1 qemu qemu 160G Jan 1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160
-rw-r--r--. 1 nova nova 241M Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part
-rw-r--r--. 1 nova nova 9.8G Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557
-rw-r--r--. 1 nova nova 0 Jan 3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20
-rw-r--r--. 1 nova nova 241M Jan 6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part
-rw-r--r--. 1 nova nova 9.8G Jan 6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644
-rw-r--r--. 1 qemu qemu 20G Jan 6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20
Expected results:
=================
nova _base images should be more strict
The risks associated with fixing this bug in OpenStack 3.0 are greater than its security impact as it would require default behavior to be changed. A future release of OpenStack may address this issue.