Bug 923226
| Summary: | buffer dir used by s3 store should not default to /tmp | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Eoghan Glynn <eglynn> |
| Component: | openstack-glance | Assignee: | Flavio Percoco <fpercoco> |
| Status: | CLOSED ERRATA | QA Contact: | Giulio Fidente <gfidente> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 2.1 | CC: | abaron, apevec, eglynn, fpercoco, hateya, lhh, mlopes |
| Target Milestone: | beta | ||
| Target Release: | 4.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | openstack-glance-2013.2-3.el6ost | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-19 23:59:57 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Using /tmp is also generally a bad idea from a security POV - there a many hundreds of CVEs resulting from programs using /tmp insecurely. Glance may be perfectly secure in this respect already, but it is better to not take any chances. If we default to /var/cache/glance/s3 or some similar private directory, we can ensure the directory is only writable+readable by the glance user ID, and also set appropriate selinux policy for restrict usage to just glance. Using 0644 `/var/cache/glance` seems to make more sense. we should: 1. install swift 2. configure it manually to use amazon s3 as backend 3. try to upload some file and ensure the temporary local copy of the file is in /var/cache/glance (rather than /tmp) verified using openstack-glance-2013.2-3.el6ost , the temporary file goes in /var/cache/glance Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHEA-2013-1859.html |
Description of problem: The s3 backend store uses temporary buffer files, created under the directory specified by the 's3_store_object_buffer_dir' config variable. If not explicitly set, this defaults to None, meaning tempfile.NamedTemporaryFile defaults to using TMPDIR, TEMP, TMP env vars, then the platform-specific defaults /tmp etc. This default reliance on /tmp can led to security issues. Version-Release number of selected component (if applicable): # sudo rpm -qa | grep glance python-glanceclient-0.8.0-3.el6ost.noarch openstack-glance-2012.2.3-7.el6ost.noarch python-glance-2012.2.3-7.el6ost.noarch How reproducible: 100% Steps to Reproduce: 1. Enable the s3 backend 2. Fill up /tmp with: # set COUNT appropriately dd if=/dev/null of=/tmp/filler.delete bs=1M count=$COUNT 3. Attempt to upload an image Actual results: The upload fails with ENOSPC from glance.s3.store.Store.add(). Expected results: Buffer file location should default to some glance-specific dir outside of /tmp, e.g. /var/cache/glance/s3 Additional info: We could address this my overriding s3_store_object_buffer_dir in the glance distribution config (/usr/share/glance/glance-api-dist.conf) *and* also ensuring in the openstack-glance.spec that the directory exists.