923226 – buffer dir used by s3 store should not default to /tmp

Bug 923226 - buffer dir used by s3 store should not default to /tmp

Summary: buffer dir used by s3 store should not default to /tmp

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	openstack-glance
Sub Component:
Version:	2.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	beta
Target Release:	4.0
Assignee:	Flavio Percoco
QA Contact:	Giulio Fidente
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-03-19 13:25 UTC by Eoghan Glynn
Modified:	2016-04-26 14:11 UTC (History)
CC List:	7 users (show)
Fixed In Version:	openstack-glance-2013.2-3.el6ost
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2013-12-19 23:59:57 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2013:1859	0	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2013-12-21 00:01:48 UTC

Description Eoghan Glynn 2013-03-19 13:25:27 UTC

Description of problem:

The s3 backend store uses temporary buffer files, created under the directory specified by the 's3_store_object_buffer_dir' config variable.

If not explicitly set, this defaults to None, meaning tempfile.NamedTemporaryFile defaults to using TMPDIR, TEMP, TMP env vars, then the platform-specific defaults /tmp etc.

This default reliance on /tmp can led to security issues.


Version-Release number of selected component (if applicable):

# sudo rpm -qa | grep glance
python-glanceclient-0.8.0-3.el6ost.noarch
openstack-glance-2012.2.3-7.el6ost.noarch
python-glance-2012.2.3-7.el6ost.noarch


How reproducible:

100%


Steps to Reproduce:
1. Enable the s3 backend
2. Fill up /tmp with:
     # set COUNT appropriately
     dd if=/dev/null of=/tmp/filler.delete bs=1M count=$COUNT
3. Attempt to upload an image

  
Actual results:

The upload fails with ENOSPC from glance.s3.store.Store.add().


Expected results:

Buffer file location should default to some glance-specific dir outside of /tmp, e.g. /var/cache/glance/s3


Additional info:

We could address this my overriding s3_store_object_buffer_dir in the glance distribution config (/usr/share/glance/glance-api-dist.conf) *and* also ensuring in the openstack-glance.spec that the directory exists.

Comment 2 Daniel Berrangé 2013-03-19 13:35:34 UTC

Using /tmp is also generally a bad idea from a security POV - there a many hundreds of CVEs resulting from programs using /tmp insecurely. Glance may be perfectly secure in this respect already, but it is better to not take any chances. If we default to /var/cache/glance/s3 or some similar private directory, we can ensure the directory is only writable+readable by the glance user ID, and also set appropriate selinux policy for restrict usage to just glance.

Comment 6 Flavio Percoco 2013-11-13 10:28:03 UTC

Using 0644 `/var/cache/glance` seems to make more sense.

Comment 8 Haim 2013-11-17 08:31:54 UTC

we should:

1. install swift
2. configure it manually to use amazon s3 as backend
3. try to upload some file and ensure the temporary local copy of the 
file is in /var/cache/glance (rather than /tmp)

Comment 10 Giulio Fidente 2013-11-20 15:34:38 UTC

verified using openstack-glance-2013.2-3.el6ost , the temporary file goes in /var/cache/glance

Comment 13 errata-xmlrpc 2013-12-19 23:59:57 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.