[Openstack-security] [Bug 1260679] Fix merged to cinder (master)
OpenStack Infra
1260679 at bugs.launchpad.net
Fri Oct 24 12:11:13 UTC 2014
Reviewed: https://review.openstack.org/107693
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=6879bd0720b2c4c5ef4d2f2c42fe0e4e436ba998
Submitter: Jenkins
Branch: master
commit 6879bd0720b2c4c5ef4d2f2c42fe0e4e436ba998
Author: Glenn M. Gobeli <Glenn.Gobeli at netapp.com>
Date: Thu Jun 12 09:31:25 2014 -0400
NFS Security Enhancements: allows secure NFS environment setup
This patch allows an OpenStack environment to run as a secure NAS
environment from the client and server perspective, including having
root squash enabled and not running file operations as the 'root'
user. This also sets Cinder file permissions as 660: removing
other/world file access.
The "nas_secure_file_permissions" option controls the setting of file
permissions when Cinder volumes are created. The option defaults to
"auto" to gracefully handle upgrade scenarios. When set to "auto",
a check is done during Cinder startup to determine if there are
existing Cinder volumes: no volumes will set the option to 'true',
and use secure file permissions. The detection of existing volumes will
set the option to 'false', and use the current insecure method of
handling file permissions.
The "nas_secure_file_operations" option controls whether file
operations are run as the 'root' user or the current OpenStack
'process' user. The option defaults to "auto" to gracefully handle
upgrade scenarios. When set to "auto", a check is done during Cinder
startup to determine if there are existing Cinder volumes: no volumes
will set the option to 'true', be secure and do NOT run as the 'root'
user. The detection of existing volumes will set the option to 'false',
and use the current method of running operations as the 'root' user.
For new installations, a 'marker file' is written so that subsequent
restarts of Cinder will know what the original determination had been.
This patch enables this functionality only for the NFS driver.
Other similar drivers can use this code to enable the same
functionality with the same config options.
DocImpact
Change-Id: I3d25f593beab7f5462576b14ab62d13d8c53e7c6
Implements: blueprint secure-nfs
Partial-Bug: 1260679
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1260679
Title:
Multiple drivers set insecure file permissions
Status in Cinder:
In Progress
Status in OpenStack Security Notes:
Fix Released
Bug description:
GPFS from various places calls "chmod 666" as root:
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', path, run_as_root=True)
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', vol_path, run_as_root=True)
the Huawei driver sets 777 permissions as root on some files:
./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
the Scality driver sets 666 permissions on all volumes:
cinder/volume/drivers/scality.py:
def _create_file(self, path, size):
with open(path, "ab") as f:
f.truncate(size)
os.chmod(path, 0o666)
Similarly, the NFS and NEXENTA driver have an implementation of
def _set_rw_permissions_for_all()
that is being called on all newly created volumes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1260679/+subscriptions
More information about the Openstack-security
mailing list