[Openstack-security] [Bug 1129748] Re: image files in _base should not be world-readable
Thomas Goirand
thomas at goirand.fr
Wed Jun 18 17:11:46 UTC 2014
IMHO 2 things should be fixed here:
- the /var/lib/nova/instances/_base containing folder should *not* have
the world bit x, because otherwise anyone with a login on the system can
list files in the folder.
- the images in the folder shouldn't be world readable.
A patch to fix this issue should address both.
Both are of IMO low importance security issues. Low importance because
there's a very narrow use case for using a computer for both multi-user
system accounts and running a nova compute load. Though narrow, having
OpenStack used instead of something like Virtualbox is still a
possibility we shouldn't discard, so it shall be fixed ASAP.
As explained on IRC, yes, distributions could potentially address the
issue for the folder's rights. Though it's IMO preferable to not off-
load this kind of things to downstream. Distributions typically would
only create /var/lib/nova, and nothing else.
Also, in Neutron, I've set the rights for /var/lib/neutron to:
drwxr-x---
Is it the view of the project that I should do the same for Nova and
everything else? It is my understanding that by doing so, a lot of
things would break. Already, in Neutron, this breaks dnsmasq unless
dhcp.py is patched to add --user=neutron (which I think is preferable
than leaving the folder as world readable). Thoughts welcome.
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1129748
Title:
image files in _base should not be world-readable
Status in OpenStack Compute (Nova):
New
Bug description:
Already public in https://bugzilla.redhat.com/show_bug.cgi?id=896085 ,
so probably no point making this private. But I checked the security
vulnerability box anyway so someone else can decide.
We create image files in /var/lib/nova/instances/_base with default
permissions, usually 644. It would be better to not make the image
files world-readable, in case they contain private data.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1129748/+subscriptions
More information about the Openstack-security
mailing list