893100 – (CVE-2013-0326) OpenStack nova: _base images permissions should not be world readable [openstack-2.1]

Bug 893100 - (CVE-2013-0326) OpenStack nova: _base images permissions should not be world readable [openstack-2.1]

Summary: (CVE-2013-0326) OpenStack nova: _base images permissions should not be world ...

Keywords:
Status:	CLOSED DUPLICATE of bug 980590
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-nova
Sub Component:
Version:	2.0 (Folsom)
Hardware:	Unspecified
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	4.0
Assignee:	Xavier Queralt
QA Contact:	Nir Magnezi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2013-0326
TreeView+	depends on / blocked

Reported:	2013-01-08 15:22 UTC by Nir Magnezi
Modified:	2019-09-09 15:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:
Doc Type:	Release Note
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-08-09 04:28:28 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
OpenStack gerrit	22278	0	None	None	None	Never

Description Nir Magnezi 2013-01-08 15:22:19 UTC

Description of problem:
=======================
nova _base images permissions shouldn are world readable.
I'd expect more strict

Version-Release number of selected component (if applicable):
=============================================================
Folsom.

How reproducible:
=================
100%

Steps to Reproduce:
===================
1. Run few instances and check the files created at /var/lib/nova/instances/_base
2.
3.
  
Actual results:
===============
nova _base images permissions are world readable.

-rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part
-rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04
-rw-r--r--. 1 qemu qemu  20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20
-rw-r--r--. 1 qemu qemu  40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40
-rw-r--r--. 1 nova nova  20G Dec 31 15:56 ephemeral_0_20_None
-rw-r--r--. 1 qemu qemu  20G Dec 31 15:57 ephemeral_0_20_None_20
-rw-r--r--. 1 qemu qemu 160G Jan  1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160
-rw-r--r--. 1 nova nova 241M Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part
-rw-r--r--. 1 nova nova 9.8G Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557
-rw-r--r--. 1 nova nova    0 Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20
-rw-r--r--. 1 nova nova 241M Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part
-rw-r--r--. 1 nova nova 9.8G Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644
-rw-r--r--. 1 qemu qemu  20G Jan  6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20

Expected results:
=================
nova _base images should be more strict

Comment 3 David Ripton 2013-02-19 01:20:15 UTC

I proposed this patch upstream at https://review.openstack.org/#/c/22278/

If it gets in, great.  If it does not, we can patch downstream.

Comment 4 David Ripton 2013-02-19 03:51:20 UTC

This is upstream bug https://bugs.launchpad.net/nova/+bug/1129748

It may be marked private for now, but it'll probably be made public soon, since this Bugzilla bug is public, as is my review above.

Comment 7 David Ripton 2013-03-04 16:25:06 UTC

The upstream patch has been held up because it's failing tests in the devstack-gate.  That's because devstack-gate is running as the stack user, and /opt/stack/data is owned by root.  That's a problem in devstack, which is https://review.openstack.org/#/c/23298/

Comment 13 David Ripton 2013-07-02 13:43:45 UTC

*** Bug 972912 has been marked as a duplicate of this bug. ***

Comment 14 Dave Allan 2013-07-02 16:52:23 UTC

*** Bug 972912 has been marked as a duplicate of this bug. ***

Comment 15 Xavier Queralt 2013-07-10 10:03:49 UTC

I've updated the upstream bug (https://bugs.launchpad.net/nova/+bug/1129748) with my thoughts about the issue.

In short, the qemu instance runs as user qemu who after the permissions change with dripton's patch cannot access the instances directory.

The solution I propose is to change the ownership and permissions of the instances directory from the nova package so that only qemu and nova users can access it.

Comment 16 Kurt Seifried 2013-08-09 04:28:28 UTC


*** This bug has been marked as a duplicate of bug 980590 ***

Note You need to log in before you can comment on or make changes to this bug.