Bug 893100 - (CVE-2013-0326) OpenStack nova: _base images permissions should not be world readable [openstack-2.1]
(CVE-2013-0326) OpenStack nova: _base images permissions should not be world ...
Status: CLOSED DUPLICATE of bug 980590
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-nova (Show other bugs)
2.0 (Folsom)
Unspecified Linux
medium Severity medium
: ---
: 4.0
Assigned To: Xavier Queralt
Nir Magnezi
: Security, SecurityTracking, Triaged
Depends On:
Blocks: CVE-2013-0326
  Show dependency treegraph
Reported: 2013-01-08 10:22 EST by Nir Magnezi
Modified: 2016-04-26 22:30 EDT (History)
10 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-08-09 00:28:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
OpenStack gerrit 22278 None None None Never

  None (edit)
Description Nir Magnezi 2013-01-08 10:22:19 EST
Description of problem:
nova _base images permissions shouldn are world readable.
I'd expect more strict

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run few instances and check the files created at /var/lib/nova/instances/_base
Actual results:
nova _base images permissions are world readable.

-rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part
-rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04
-rw-r--r--. 1 qemu qemu  20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20
-rw-r--r--. 1 qemu qemu  40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40
-rw-r--r--. 1 nova nova  20G Dec 31 15:56 ephemeral_0_20_None
-rw-r--r--. 1 qemu qemu  20G Dec 31 15:57 ephemeral_0_20_None_20
-rw-r--r--. 1 qemu qemu 160G Jan  1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160
-rw-r--r--. 1 nova nova 241M Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part
-rw-r--r--. 1 nova nova 9.8G Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557
-rw-r--r--. 1 nova nova    0 Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20
-rw-r--r--. 1 nova nova 241M Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part
-rw-r--r--. 1 nova nova 9.8G Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644
-rw-r--r--. 1 qemu qemu  20G Jan  6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20

Expected results:
nova _base images should be more strict
Comment 3 David Ripton 2013-02-18 20:20:15 EST
I proposed this patch upstream at https://review.openstack.org/#/c/22278/

If it gets in, great.  If it does not, we can patch downstream.
Comment 4 David Ripton 2013-02-18 22:51:20 EST
This is upstream bug https://bugs.launchpad.net/nova/+bug/1129748

It may be marked private for now, but it'll probably be made public soon, since this Bugzilla bug is public, as is my review above.
Comment 7 David Ripton 2013-03-04 11:25:06 EST
The upstream patch has been held up because it's failing tests in the devstack-gate.  That's because devstack-gate is running as the stack user, and /opt/stack/data is owned by root.  That's a problem in devstack, which is https://review.openstack.org/#/c/23298/
Comment 13 David Ripton 2013-07-02 09:43:45 EDT
*** Bug 972912 has been marked as a duplicate of this bug. ***
Comment 14 Dave Allan 2013-07-02 12:52:23 EDT
*** Bug 972912 has been marked as a duplicate of this bug. ***
Comment 15 Xavier Queralt 2013-07-10 06:03:49 EDT
I've updated the upstream bug (https://bugs.launchpad.net/nova/+bug/1129748) with my thoughts about the issue.

In short, the qemu instance runs as user qemu who after the permissions change with dripton's patch cannot access the instances directory.

The solution I propose is to change the ownership and permissions of the instances directory from the nova package so that only qemu and nova users can access it.
Comment 16 Kurt Seifried 2013-08-09 00:28:28 EDT

*** This bug has been marked as a duplicate of bug 980590 ***

Note You need to log in before you can comment on or make changes to this bug.