Open Stack

Reviewed:  https://review.openstack.org/73112
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=b0ac8294dd9d8dbddfbb320c62d7264daf55be26
Submitter: Jenkins
Branch:    master

commit b0ac8294dd9d8dbddfbb320c62d7264daf55be26
Author: Bill Owen <billowen at us.ibm.com>
Date:   Wed Feb 12 17:37:36 2014 -0700

    Update gpfs driver volume creation process
    
    Modify gpfs driver to set file permissions in
    a more consistent way.
    
    Modify image_utils.resize_image to allow caller
    to request it be run as root.
    
    SecurityImpact
    Change-Id: Ic01d91c0d660c74095e8d2b212279b39b9b9dc05
    Partial-Bug: #1260679

-- 
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1260679

Title:
  Multiple drivers set insecure file permissions

Status in Cinder:
  In Progress
Status in OpenStack Security Notes:
  In Progress

Bug description:
  GPFS from various places calls "chmod 666" as root:

  ./cinder/volume/drivers/gpfs.py:        self._execute('chmod', '666', path, run_as_root=True)
  ./cinder/volume/drivers/gpfs.py:            self._execute('chmod', '666', vol_path, run_as_root=True)

  the Huawei driver sets 777 permissions as root on some files:

  ./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
  ./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)

  the Scality driver sets 666 permissions on all volumes:

  cinder/volume/drivers/scality.py:

      def _create_file(self, path, size):
          with open(path, "ab") as f:
              f.truncate(size)
          os.chmod(path, 0o666)

  Similarly, the NFS and NEXENTA driver have an implementation of

  def _set_rw_permissions_for_all()

  that is being called on all newly created volumes.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1260679/+subscriptions