[openstack-dev] [OSSG][OSSN] Multiple Cinder drivers set insecure file permissions

Nathan Kinder nkinder at redhat.com
Sat May 31 15:20:55 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Multiple Cinder drivers set insecure file permissions
- ---

### Summary ###
Several Cinder volume drivers set insecure file permissions for various
files and directories. These permissions render the files accessible for
read and write to any user with access to the Cinder host as well as any
processes running on it. This exposes user block storage data to
potential disclosure, corruption, or destruction.

### Affected Services / Software ###
Cinder, Folsom, Grizzly, Havana, Icehouse

### Discussion ###
Several Cinder drivers set file permissions that allow read and write
access to 'group' and 'others'. Affected drivers include:

 - GPFS
 - GlusterFS
 - Huawei
 - NetApp/NFS
 - Nexenta
 - NFS
 - Scality

Essentially, user volumes are made accessible to all who have access to
the Cinder host. Daemons running on the host are also able to access the
affected user volumes. The relaxed file permissions can be exploited to
disclose, modify, corrupt, or destroy user volume data.

All versions of Cinder are vulnerable in Icehouse and earlier releases
with a single exception: systems using the Icehouse GPFS driver.

This issue was reported by Dirk Mueller of SUSE.

### Recommended Actions ###
The GPFS driver in the Icehouse release fixes the file permissions issue
and also executes shell commands in non-root mode where possible.
Unfortunately, it is not practical to back-port the fix for the GPFS
driver to earlier OpenStack releases. It is anticipated that the other
affected drivers will be fixed in the OpenStack Juno release.

It is not possible to simply modify the file permissions to mitigate
the issue, as several of the affected drivers currently require the
relaxed file permissions to function. Additionally, file manipulation
cannot be uniformly restricted to a non-root user because often times a
file may be created on one host using one uid, but mounted on another
host using a different uid.

You can check what drivers are being used by Cinder by executing the
following command on your Cinder host:

  > grep "^volume_driver" /etc/cinder/cinder.conf

You should compare the results of the above command against the list of
known vulerable drivers in the "Discussion" section above to see if you
are affected. If you are running the Icehouse version of Cinder and the
GPFS driver is the only driver in use, your Cinder system is not
vulnerable to this issue.

In the likely scenario that your system is vulnerable, you should limit
access to the Cinder host as much as possible.  You should also explore
alternatives such as applying mandatory access control policies
(SELinux, AppArmor, etc) or using NFS uid squashing to control access
to the files in order to minimize the possible exposure.

### Contacts / References ###
This OSSN : https://wiki.openstack.org/wiki/OSSN/OSSN-0014
Original LaunchPad Bug : https://bugs.launchpad.net/cinder/+bug/1260679
OpenStack Security ML : openstack-security at lists.openstack.org
OpenStack Security Group : https://launchpad.net/~openstack-ossg
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTifNXAAoJEJa+6E7Ri+EVb54H/2dAiAEQfSDRXOFBKhxJ0seV
dpwZrM8bylxYB5w5CwsOJpAu1L8XLHnEtYKYeddL8ygzMkm27ACQHru+4oe4y9YD
04tWq2mSlz/QUEtdyKDcfa4Se1sT4hccfvvqMTgoi6q2UF2OueHdAH9XDc0xSuFI
Kd8toGRuoTifphWgLviDyQtTynhW2fVF6vIMdI5nEf42HgHM8FMdTCEBjkXILy9+
lSTT14A3vuVf4JaWHLuuGqFOkxtLdKKHGrmu44l9Xo9cHUHt3R16VFCPbk4db4oA
8+cqxpzHSVkWkyJm/gKVFvBzFFxaz4MDnWVR1p2/pCCvKPQ7ARYrcVmEJNZ6HrY=
=pm4b
-----END PGP SIGNATURE-----



More information about the OpenStack-dev mailing list