Bug 1034247 - Cloud-Init: meta_data.json and user_data files on config-drive are world-readable
Summary: Cloud-Init: meta_data.json and user_data files on config-drive are world-read...
Alias: None
Product: Red Hat Enterprise Virtualization Manager
Classification: Red Hat
Component: ovirt-engine
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 3.4.0
Assignee: Francesco Romani
QA Contact: Pavel Novotny
Whiteboard: virt
Depends On:
Blocks: rhev3.4beta 1142926
TreeView+ depends on / blocked
Reported: 2013-11-25 13:35 UTC by Pavel Novotny
Modified: 2015-09-22 13:09 UTC (History)
9 users (show)

Fixed In Version: ovirt-3.4.0-alpha1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed:
oVirt Team: ---
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
oVirt gerrit 21965 0 None None None Never

Description Pavel Novotny 2013-11-25 13:35:21 UTC
Description of problem:
When using Cloud-Init (via Run Once) for VM bootstrapping, the `user_data` and `meta_data.json` files on the config-drive have world readable permissions. Since they contain sensitive informations such as root password or SSH auth. key, they should not be readable for everyone.

Version-Release number of selected component (if applicable):
rhevm-3.3.0-0.35.beta1.el6ev.noarch (is24)

How reproducible:

Steps to Reproduce:
1. In Webadmin, have a VM and run it via Run Once with some values in Initial Run/Cloud-Init section.
2. On the host the VM is running, search the qemu process for the attached config-drive CD-ROM image (ps aux | grep [q]emu | grep cdrom). 
It looks like: 
-drive file=/var/run/vdsm/payload/d80627d0-04f4-48d5-9335-753354c2cc29.8

3. Mount the image and check permissions of the meta data and user data files:
# mount -t iso9660 -o loop /var/run/vdsm/payload/<config-drive>.img /mnt/cloud-init/
# ls -l /mnt/cloud-init/openstack/latest/

Actual results:
-r--r--r--. 1 root root 695 21. lis 17.33 meta_data.json
-r--r--r--. 1 root root 291 21. lis 17.33 user_data

Expected results:
The files should be readable only for root user, not for everyone.

Additional info:

Comment 1 Michal Skrivanek 2013-11-26 09:59:12 UTC
this is exposed in the VM as a CDROM so you need permissions for that so not a big deal. 
Fixing this would require extending the payload feature with user/group and permissions

Comment 2 Michal Skrivanek 2013-12-02 15:10:35 UTC
maybe just by default create a non world-readable files...

Comment 3 Pavel Novotny 2014-02-18 12:36:37 UTC
Verified upstream in ovirt-engine-3.4.0-0.7.beta2.el6.noarch.

Followed reproducer in comment 0 for verification.
The files on the attached config-drive are no longer world-readable:

# mount -t iso9660 -o loop /var/run/vdsm/payload/11b2841c-03bd-43d8-8d43-4ece2392fee8.62b0aaef2741993fc8bc89d3c3bc4f58.img /mnt/cloud-init/
# ls -l /mnt/cloud-init/openstack/latest/
-rw-r-----. 1 root root 252 Feb 18 11:59 meta_data.json
-rw-r-----. 1 root root 222 Feb 18 11:59 user_data

Comment 5 Itamar Heim 2014-06-12 14:08:37 UTC
Closing as part of 3.4.0

Note You need to log in before you can comment on or make changes to this bug.