What about for the file permissions issue? We should at least lock it down so that the files it creates are only readable/writeable for the specific cinder user, otherwise anybody on the box can tamper with/read sensitive data from these files. -- You received this bug notification because you are a member of OpenStack Security Group, which is subscribed to OpenStack. https://bugs.launchpad.net/bugs/1367000 Title: Malicious name could lead to local information disclosure vulnerability Status in Cinder: Confirmed Status in OpenStack Security Advisories: Won't Fix Bug description: In the cinder scality driver, the following code sets file permissions to 0o666 (read, write for all users): https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L118 This code is called in a couple of locations, one of which is here: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L172 That line of code gets the filename from this function: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L185 Which joins two paths, one of which is this: https://github.com/openstack/cinder/blob/master/cinder/volume/drivers/scality.py#L181 Which joins two paths, one of which is volume['name'] which is un- sanitized input. If a malicious user sets a volume name to something like "/etc/passwd", the /etc/passwd permissions will be set to '0o666' with the privileges of the user that is running Cinder. This could be used to expose files and sensitive data on the machine that is running Cinder. If combined with another vulnerability this could lead to some really bad things. To manage notifications about this bug go to: https://bugs.launchpad.net/cinder/+bug/1367000/+subscriptions