Bug 913377 - (CVE-2013-0326) CVE-2013-0326 OpenStack nova: _base images permissions should not be world readable
CVE-2013-0326 OpenStack nova: _base images permissions should not be world re...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20130108,repor...
: Security
Depends On: 893100 961135 972912 980590 980591
Blocks: 913379 1119617
  Show dependency treegraph
 
Reported: 2013-02-21 01:01 EST by Kurt Seifried
Modified: 2016-04-26 14:40 EDT (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-07 01:51:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-02-21 01:01:19 EST
Nir Magnezi of Red Hat reports:

Description of problem:
=======================
nova _base images permissions shouldn are world readable.
I'd expect more strict

Version-Release number of selected component (if applicable):
=============================================================
Folsom.

How reproducible:
=================
100%

Steps to Reproduce:
===================
1. Run few instances and check the files created at /var/lib/nova/instances/_base
2.
3.
  
Actual results:
===============
nova _base images permissions are world readable.

-rw-r--r--. 1 nova nova 241M Dec 31 12:16 f7e6702d38be6ef3a5a66812d56615252a7f1e04.part
-rw-r--r--. 1 qemu qemu 9.8G Dec 31 12:17 f7e6702d38be6ef3a5a66812d56615252a7f1e04
-rw-r--r--. 1 qemu qemu  20G Dec 31 12:30 f7e6702d38be6ef3a5a66812d56615252a7f1e04_20
-rw-r--r--. 1 qemu qemu  40G Dec 31 12:37 f7e6702d38be6ef3a5a66812d56615252a7f1e04_40
-rw-r--r--. 1 nova nova  20G Dec 31 15:56 ephemeral_0_20_None
-rw-r--r--. 1 qemu qemu  20G Dec 31 15:57 ephemeral_0_20_None_20
-rw-r--r--. 1 qemu qemu 160G Jan  1 11:28 f7e6702d38be6ef3a5a66812d56615252a7f1e04_160
-rw-r--r--. 1 nova nova 241M Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557.part
-rw-r--r--. 1 nova nova 9.8G Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557
-rw-r--r--. 1 nova nova    0 Jan  3 12:40 b7b22e1d8a012c9b53c28777f6669459e5524557_20
-rw-r--r--. 1 nova nova 241M Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644.part
-rw-r--r--. 1 nova nova 9.8G Jan  6 15:52 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644
-rw-r--r--. 1 qemu qemu  20G Jan  6 15:53 af7ca6734c34f038c8f65cd9c61cbcbb08bc6644_20

Expected results:
=================
nova _base images should be more strict
Comment 4 Kurt Seifried 2013-10-09 01:45:10 EDT
The risks associated with fixing this bug in OpenStack 3.0 are greater than its security impact as it would require default behavior to be changed. A future release of OpenStack may address this issue.

Note You need to log in before you can comment on or make changes to this bug.