[Openstack-security] [Bug 1129748] Re: image files in _base should not be world-readable
Rodney Beede
1129748 at bugs.launchpad.net
Tue Mar 1 03:27:32 UTC 2016
This would be a good hardening opportunity. One use case is you may
have unprivileged user accounts that are used for services like
monitoring or OS backups unrelated to the OpenStack images themselves.
Especially for monitoring these accounts may have basic remote login
capability.
Not allowing the unprivileged accounts access via the world read/x bits
would be useful.
So perhaps a hardening option that ideally the code would follow a more
secure UMASK as well.
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1129748
Title:
image files in _base should not be world-readable
Status in OpenStack Compute (nova):
Opinion
Status in OpenStack Security Advisory:
Won't Fix
Bug description:
Already public in https://bugzilla.redhat.com/show_bug.cgi?id=896085 ,
so probably no point making this private. But I checked the security
vulnerability box anyway so someone else can decide.
We create image files in /var/lib/nova/instances/_base with default
permissions, usually 644. It would be better to not make the image
files world-readable, in case they contain private data.
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1129748/+subscriptions
More information about the Openstack-security
mailing list