[Openstack] VFSLocalFS and password injection

Daniel P. Berrange berrange at redhat.com
Fri Sep 18 15:30:41 UTC 2015


On Fri, Sep 18, 2015 at 10:59:43AM -0400, J-P Methot wrote:
> On 2015-09-18 10:33 AM, Daniel P. Berrange wrote:
> > On Fri, Sep 18, 2015 at 10:10:22AM -0400, J-P Methot wrote:
> >> Hi,
> >>
> >> I have a question regarding the VFSLocalFS mechanism for password
> >> injection. Basically, because of our infrastructure, we can't use
> >> libguestfs for password injection and we do not want to inject password
> >> through metadata. This leads us to use the openstack VFSLocalFS
> >> mechanism for password injection.
> > 
> > NB, using VFSLocalFS is only suitable if you trust your guest disk
> > images. Since it uses the host kernel to mount the guest filesystem,
> > a malicious guest filesystem can exploit the host kernel. This is
> > not just theoretical as there have been exploits in mainstream FS
> > like ext3/4 before, not to mention all the obscure filesystem
> > drivers linux has that few people probably audited.
> > 
> 
> I see, thank you for the pointer. In our case we do trust our images as
> customers cannot upload new OS images of in our infrastructure. However,
> they can upload snapshots of the VM they created from the image. Since
> they can modify the content of a vm, save it as a snapshot and then boot
> from it, am I right to think this may be a potential vulnerability?

Yep, I believe so - as nova doesn't see a distinction between your
fresh uploaded image and an image created from a snapshot of the
existing guest. It will run its file injection code on both, whic
involves the mounting of the image FS on the host via VFSLocalFS.
The guest OS admin can write to /dev/sda1 (or whatever their root
FS may be) to try and create malicious data to exploit the host OS.

I meant to include this link before but forgot

  http://libguestfs.org/guestfs.3.html#security-of-mounting-filesystems

This security risk is essentially the core reason why libguestfs
has the architecture it does.

Regards,
Daniel
-- 
|: http://berrange.com      -o-    http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org              -o-             http://virt-manager.org :|
|: http://autobuild.org       -o-         http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org       -o-       http://live.gnome.org/gtk-vnc :|




More information about the Openstack mailing list