IBM NAS cinder driver sets 'rw' permissions to all during volume create operation, which is security issue

Fix proposed to branch: master
Review: https://review.openstack.org/120067

I've flagged this as a potential vulnerability and added an incomplete security advisory task while the impact is assessed. Does this potentially affect existing Cinder releases or only master/juno?

This looks valid to me -- i'm just unsure how exploitable that ends up being. i.e. is it a bug, or a vulnerability ? Who ends up having access to that rw-for-all volume ? Also it looks like _set_rw_permissions_for_all() should just die in a fire, i can't find an interesting usage for it, apart from adding new vulnerabilities in the code.

Cinder has operated in this fashion for a while with various drivers. Work is underway to improve the situation but it isn't a switch that can be flipped quite yet because it will break existing installs.

We worked on this in Juno but didn't get there yet: https://review.openstack.org/#/c/107693/

Someone has to be able to mount the file share to access these files or access the cinder-volume / nova-compute host, so this isn't something is directly exploitable for a user to access data. Setting export controls on the NFS/*FS server is advisable.

Everyone agrees that this needs to be fixed, and I think the above patch should get there in Kilo since it has some acceptance as the right general idea. The plan is to introduce a config option that lets people enforce the new permissions model, and add code to drivers to help migrate over existing configurations.

Given that it's confirmed as non-exploitable and it doesn't sound like the solution is one which would get backported to stable release branches, we should treat this as a security hardening fix rather than an advisory. If nobody complains to the contrary we'll switch it on Thursday.

why is the assignee changed to 'Jay Bryant' from 'Nilesh Bhosale'?

I have no idea why. Fixed.

Thanks :-)

Reviewed: https://review.openstack.org/120067
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=3fff55681739872ab125aa7f0677f7d836c10615
Submitter: Jenkins
Branch: master

commit 3fff55681739872ab125aa7f0677f7d836c10615
Author: Nilesh Bhosale <email address hidden>
Date: Sun Aug 24 13:06:29 2014 +0530

    IBMNAS: Remove call to set r/w permissions to all

    During cinder volume create operation from a volume snapshot or
    from an existing volume (volume clone operation), the ibmnas
    driver sets 'rw' permissions to all, which is unnecessary and
    also poses security concerns.
    Fixing this issue, removing the calls to set rw permissions to
    all during these operations and adding a call to set 'rw'
    permissions only to the owner to make sure even if umask is set
    at the filesystem level, which might deny 'rw' access to the owner
    we explicitely set the required permissions on the volume file.

    Change-Id: I0e5ba9262a298e088f7724ddeda3537afa4b023e
    Closes-Bug: #1367238

The assignee was automatically updated when Jay uploaded patchset 4 of https://review.openstack.org/120067 since it was assumed he was taking over the change.

Nilesh, sorry for the confusion. As Jeremy noted, I pushed up a new patch set to address Eric's comment. The asignee gets changed when that happens. I believe you still get credit for the commit though. Sorry for the confusion.