[Openstack-security] [Bug 1129748] Re: image files in _base should not be world-readable
David Ripton
dripton at redhat.com
Wed Jul 10 14:21:11 UTC 2013
Thanks Xavier. My patch failed because it narrowed permissions to only
the openstack user, not also the qemu user.
I agree that group permissions should fix this. But I think it's safer
to do it internally in nova rather than punting to packagers, if we can.
That way we fix it once rather than relying on others to fix it multiple
times. The challenge is knowing the correct group in a portable way.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1129748
Title:
image files in _base should not be world-readable
Status in OpenStack Compute (Nova):
In Progress
Bug description:
Already public in https://bugzilla.redhat.com/show_bug.cgi?id=896085 ,
so probably no point making this private. But I checked the security
vulnerability box anyway so someone else can decide.
We create image files in /var/lib/nova/instances/_base with default
permissions, usually 644. It would be better to not make the image
files world-readable, in case they contain private data.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1129748/+subscriptions
More information about the Openstack-security
mailing list