Cinder

Cinder Huawei driver sets insecure permissions

Bug #1260680 reported by Dirk Mueller
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
New
Undecided
Unassigned
OpenStack Security Advisory
Incomplete
Undecided
Unassigned

Bug Description

the Huawei driver sets 777 permissions as root on some files:

./cinder/volume/drivers/huawei/ssh_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)
./cinder/volume/drivers/huawei/rest_common.py: utils.execute('chmod', '777', filepath, run_as_root=True)

Dirk Mueller (dmllr)
information type: Public → Private Security
Revision history for this message
Thierry Carrez (ttx) wrote :

NB: This was probably public for a minute.

Revision history for this message
Thierry Carrez (ttx) wrote :

Sounds legit, unless those backends actually rely on 666/777 files to work properly (!?)
Probably needs a common OSSA with bug 1260679.

Changed in ossa:
status: New → Incomplete
Revision history for this message
John Griffith (john-griffith) wrote :

Checking with the driver maintainers on both of these to see if this is a requirement or not. I'd say it's a valid security issue, but I'll need input from IBM and Huawei in terms of their capabilities and what our options are here.

Revision history for this message
Thierry Carrez (ttx) wrote :

@John: if you confirmed that it's not a requirement, could you fix it in the same patch as the GPFS one ? Just post it on the other bug.

Revision history for this message
Brian Rosmaita (brian-rosmaita) wrote :

The bug this is a duplicate of was made public on 2014-02-10. Additionally, the vulnerability was in Icehouse and earlier; Icehouse went EOL on 2015-07-02. So no sense keeping this as a private security bug.

information type: Private Security → Public
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.