[Openstack-security] [Bug 1260679] Re: Multiple drivers set insecure file permissions
Thierry Carrez
thierry.carrez+lp at gmail.com
Mon Feb 10 15:45:13 UTC 2014
** Information type changed from Private Security to Public
** Tags added: security
** Project changed: ossa => ossn
** Changed in: ossn
Status: Incomplete => New
** No longer affects: cinder/grizzly
** No longer affects: cinder/havana
** Changed in: cinder
Importance: Undecided => High
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1260679
Title:
Multiple drivers set insecure file permissions
Status in Cinder:
In Progress
Status in OpenStack Security Notes:
New
Bug description:
GPFS from various places calls "chmod 666" as root:
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', path, run_as_root=True)
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', vol_path, run_as_root=True)
the Huawei driver sets 777 permissions as root on some files:
./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
the Scality driver sets 666 permissions on all volumes:
cinder/volume/drivers/scality.py:
def _create_file(self, path, size):
with open(path, "ab") as f:
f.truncate(size)
os.chmod(path, 0o666)
Similarly, the NFS and NEXENTA driver have an implementation of
def _set_rw_permissions_for_all()
that is being called on all newly created volumes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1260679/+subscriptions
More information about the Openstack-security
mailing list