[Openstack-security] [Bug 1129748] Re: image files in _base should not be world-readable
Xavier Queralt
1129748 at bugs.launchpad.net
Wed Jul 10 09:34:17 UTC 2013
I don't see a clear solution for this problem in nova and I think this
could be better handled in the packaging.
When changing the mode of the instances' directory to 0760 we are also
preventing the user 'qemu' to access the images and other files we store
there (See nova-compute logs @ 2013-06-07 15:35:00.955 [1]).
>From libvirt's documentation [2]:
"The directories /var/run/libvirt/qemu/, /var/lib/libvirt/qemu/ and
/var/cache/libvirt/qemu/ must all have their ownership set to match the
user / group ID that QEMU guests will be run as. If the vendor has set a
non-root user/group for the QEMU driver at build time, the permissions
should be set automatically at install time. If a host administrator
customizes user/group in /etc/libvirt/qemu.conf, they will need to
manually set the ownership on these directories."
In Fedora and RedHat the QEMU guests run as qemu (group qemu) while in
debian and ubuntu they runs as libvirt-qemu (group kvm).
An easy solution would be to just change the group of the instances
directory to the one qemu is going to use (either qemu or kvm) while
still changing the permissions on that directory to 0760. And I'd
definitely do this on the packaging level.
Because, besides libvirt, is there any other virt driver storing images
in the instances directory?
[1] http://logs.openstack.org/32146/2/check/gate-tempest-devstack-vm-full/21468/logs/screen-n-cpu.txt.gz
[2] http://libvirt.org/drvqemu.html#securitydriver
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1129748
Title:
image files in _base should not be world-readable
Status in OpenStack Compute (Nova):
In Progress
Bug description:
Already public in https://bugzilla.redhat.com/show_bug.cgi?id=896085 ,
so probably no point making this private. But I checked the security
vulnerability box anyway so someone else can decide.
We create image files in /var/lib/nova/instances/_base with default
permissions, usually 644. It would be better to not make the image
files world-readable, in case they contain private data.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1129748/+subscriptions
More information about the Openstack-security
mailing list