[Openstack-security] [Bug 1260679] Re: Multiple drivers set insecure file permissions
OpenStack Infra
1260679 at bugs.launchpad.net
Mon Oct 20 17:25:32 UTC 2014
** Changed in: cinder
Assignee: Glenn M. Gobeli (glenng) => Ben Swartzlander (bswartz)
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1260679
Title:
Multiple drivers set insecure file permissions
Status in Cinder:
In Progress
Status in OpenStack Security Notes:
Fix Released
Bug description:
GPFS from various places calls "chmod 666" as root:
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', path, run_as_root=True)
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', vol_path, run_as_root=True)
the Huawei driver sets 777 permissions as root on some files:
./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
the Scality driver sets 666 permissions on all volumes:
cinder/volume/drivers/scality.py:
def _create_file(self, path, size):
with open(path, "ab") as f:
f.truncate(size)
os.chmod(path, 0o666)
Similarly, the NFS and NEXENTA driver have an implementation of
def _set_rw_permissions_for_all()
that is being called on all newly created volumes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1260679/+subscriptions
More information about the Openstack-security
mailing list