[Openstack-security] [Bug 1129748] Re: image files in _base should not be world-readable
Tristan Cacqueray
tdecacqu at redhat.com
Fri Feb 26 18:50:55 UTC 2016
Since this report concerns a possible security risk, an incomplete
security advisory task has been added while the core security reviewers
for the affected project or projects confirm the bug and discuss the
scope of any vulnerability along with potential solutions.
I agree with Robert, this expose OpenStack user instance data to all
context running on the compute node. Shell users aside, I fail to see
why would apache or even the nobody user be allowed to list and read
disk files.
** Also affects: ossa
Importance: Undecided
Status: New
** Changed in: ossa
Status: New => Incomplete
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1129748
Title:
image files in _base should not be world-readable
Status in OpenStack Compute (nova):
Opinion
Status in OpenStack Security Advisory:
Incomplete
Bug description:
Already public in https://bugzilla.redhat.com/show_bug.cgi?id=896085 ,
so probably no point making this private. But I checked the security
vulnerability box anyway so someone else can decide.
We create image files in /var/lib/nova/instances/_base with default
permissions, usually 644. It would be better to not make the image
files world-readable, in case they contain private data.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1129748/+subscriptions
More information about the Openstack-security
mailing list