[Openstack-security] [Bug 1260679] Re: Multiple drivers set insecure file permissions
Nathan Kinder
nkinder at redhat.com
Sat May 31 15:39:21 UTC 2014
Published as OSSN-0014 on the wiki and the openstack and openstack-dev
mailing lists:
https://wiki.openstack.org/wiki/OSSN/OSSN-0014
** Changed in: ossn
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of OpenStack
Security Group, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1260679
Title:
Multiple drivers set insecure file permissions
Status in Cinder:
In Progress
Status in OpenStack Security Notes:
Fix Released
Bug description:
GPFS from various places calls "chmod 666" as root:
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', path, run_as_root=True)
./cinder/volume/drivers/gpfs.py: self._execute('chmod', '666', vol_path, run_as_root=True)
the Huawei driver sets 777 permissions as root on some files:
./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
the Scality driver sets 666 permissions on all volumes:
cinder/volume/drivers/scality.py:
def _create_file(self, path, size):
with open(path, "ab") as f:
f.truncate(size)
os.chmod(path, 0o666)
Similarly, the NFS and NEXENTA driver have an implementation of
def _set_rw_permissions_for_all()
that is being called on all newly created volumes.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cinder/+bug/1260679/+subscriptions
More information about the Openstack-security
mailing list